Source: |
Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000014.00000003.125904782894.0000000005CEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.125904003059.0000000002DFC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp |
Source: |
Binary string: coml2.pdb6H&8e source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp |
Source: |
Binary string: ntmarta.pdb( source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033173702.0000000005431000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb$H48s source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp |
Source: |
Binary string: CoreMessaging.pdb source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.125903738538.0000000002D80000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033269253.0000000005520000.00000004.00000040.sdmp |
Source: |
Binary string: oleaut32.pdb( source: WerFault.exe, 00000014.00000003.125909078051.0000000005CE0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb( source: WerFault.exe, 00000014.00000003.125905831080.0000000005C34000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp |
Source: |
Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp |
Source: |
Binary string: coml2.pdb( source: WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.125900100057.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp |
Source: |
Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp |
Source: |
Binary string: TextShaping.pdb source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdbQ source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: CoreMessaging.pdb( source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp |
Source: |
Binary string: sxs.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb( source: WerFault.exe, 00000014.00000003.125905988617.0000000005C45000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp |
Source: |
Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp |
Source: |
Binary string: CoreUIComponents.pdb( source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp |
Source: |
Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp |
Source: |
Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.125907125589.0000000005C3A000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp |
Source: |
Binary string: coml2.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp |
Source: |
Binary string: WinTypes.pdb( source: WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp |
Source: |
Binary string: ws2_32.pdb8H 8 source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp |
Source: |
Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp |
Source: |
Binary string: msctf.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp |
Source: |
Binary string: ,wntdll.pdb source: WerFault.exe, 00000014.00000003.125899412774.0000000002D70000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb( source: WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp |
Source: |
Binary string: TextInputFramework.pdb source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022159017.0000000006493000.00000004.00000001.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp |
Source: |
Binary string: TextShaping.pdb( source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023187158.00000000068BD000.00000004.00000001.sdmp |
Source: |
Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp |
Source: |
Binary string: wUxTheme.pdb( source: WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp |
Source: |
Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp |
Source: |
Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp |
Source: |
Binary string: msctf.pdb( source: WerFault.exe, 00000014.00000003.125910562779.0000000005D02000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.125903704223.0000000002D7B000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.125903667098.0000000002D75000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp |
Source: |
Binary string: coml2.pdb} source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: TextInputFramework.pdb( source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp |
Source: |
Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.125907817675.0000000002E17000.00000004.00000001.sdmp |
Source: |
Binary string: msvcp_win.pdb( source: WerFault.exe, 00000014.00000003.125904042199.0000000002E01000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp |
Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.125984504149.0000000005CE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.125984504149.0000000005CE1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: explorer.exe, 0000000B.00000000.125799531795.0000000010A6D000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: explorer.exe, 0000000B.00000002.130410544642.000000000CFBC000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys% |
Source: explorer.exe, 0000000B.00000000.125799531795.0000000010A6D000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: explorer.exe, 0000000B.00000002.130379831569.0000000000904000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl |
Source: explorer.exe, 0000000B.00000002.130410016644.000000000CF7B000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: explorer.exe, 0000000B.00000000.125786547597.000000000A940000.00000002.00020000.sdmp |
String found in binary or memory: http://schemas.micro |
Source: Sales Order List.exe |
String found in binary or memory: http://topqualityfreeware.com |
Source: Amcache.hve.LOG1.20.dr |
String found in binary or memory: http://upx.sf.net |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: http://www.foreca.com |
Source: Sales Order List.exe |
String found in binary or memory: http://www.topqualityfreeware.com/ |
Source: explorer.exe, 0000000B.00000002.130415876105.0000000010478000.00000004.00000001.sdmp |
String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppEM |
Source: explorer.exe, 0000000B.00000000.125824449017.0000000002E75000.00000004.00000001.sdmp |
String found in binary or memory: https://aka.ms/odirme |
Source: explorer.exe, 0000000B.00000002.130409357270.000000000CEEE000.00000004.00000001.sdmp |
String found in binary or memory: https://android.notify.windows.com/iOS |
Source: explorer.exe, 0000000B.00000000.125824045068.0000000002E1A000.00000004.00000001.sdmp |
String found in binary or memory: https://api.msn.com/ |
Source: explorer.exe, 0000000B.00000002.130406454585.000000000CBA2000.00000004.00000001.sdmp |
String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind |
Source: explorer.exe, 0000000B.00000002.130396156143.0000000009501000.00000004.00000001.sdmp |
String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows? |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows? |
Source: explorer.exe, 0000000B.00000000.125782425758.00000000093FE000.00000004.00000001.sdmp |
String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?P |
Source: explorer.exe, 0000000B.00000002.130396156143.0000000009501000.00000004.00000001.sdmp |
String found in binary or memory: https://arc.msn.com |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg |
Source: explorer.exe, 0000000B.00000000.125845469977.000000000CF00000.00000004.00000001.sdmp |
String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation |
Source: explorer.exe, 0000000B.00000002.130379831569.0000000000904000.00000004.00000020.sdmp |
String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivations |
Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmp |
String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq |
Source: Sales Order List.exe |
String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/ |
Source: Sales Order List.exe, 00000004.00000003.125871810697.0000000001879000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/%%doc-0k-48-docs.googleusercontent.com |
Source: Sales Order List.exe, 00000004.00000003.125872058569.000000000189B000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/3 |
Source: Sales Order List.exe, 00000004.00000003.125872058569.000000000189B000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/7 |
Source: Sales Order List.exe, 00000004.00000003.125871877283.0000000001883000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/S~ |
Source: Sales Order List.exe, 00000004.00000003.125743274575.00000000018B4000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/145unl5i |
Source: Sales Order List.exe, 00000004.00000003.125873230933.00000000018A9000.00000004.00000001.sdmp |
String found in binary or memory: https://doc-0k-48-docs.googleusercontent.com/w |
Source: Sales Order List.exe, 00000004.00000003.125871692204.0000000001870000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/ |
Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/4 |
Source: Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn |
Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnY |
Source: Sales Order List.exe, 00000004.00000003.125743205436.00000000018AE000.00000004.00000001.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnawmvg8FJU4CwcICFY |
Source: Sales Order List.exe, 00000004.00000002.125875077297.0000000001827000.00000004.00000020.sdmp |
String found in binary or memory: https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvnc |
Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmp |
String found in binary or memory: https://excel.office.com |
Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmp |
String found in binary or memory: https://excel.office.comn |
Source: Sales Order List.exe, 00000004.00000003.125765591469.00000000018A8000.00000004.00000001.sdmp |
String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC: |
Source: explorer.exe, 0000000B.00000000.125852646377.0000000010C17000.00000004.00000001.sdmp |
String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt |
Source: explorer.exe, 0000000B.00000000.125852646377.0000000010C17000.00000004.00000001.sdmp |
String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1 |
Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmp |
String found in binary or memory: https://outlook.comows.CB |
Source: explorer.exe, 0000000B.00000000.125845469977.000000000CF00000.00000004.00000001.sdmp |
String found in binary or memory: https://powerpoint.office.com8 |
Source: WerFault.exe, 00000014.00000003.125950197304.0000000002D61000.00000004.00000001.sdmp |
String found in binary or memory: https://watson.telemet |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://windows.msn.com:443/shell |
Source: explorer.exe, 0000000B.00000002.130416256186.00000000104AE000.00000004.00000001.sdmp |
String found in binary or memory: https://wns.windows.com/ |
Source: explorer.exe, 0000000B.00000000.125794870721.000000000D0C8000.00000004.00000001.sdmp |
String found in binary or memory: https://word.office.com |
Source: explorer.exe, 0000000B.00000002.130414430727.0000000010370000.00000004.00000001.sdmp |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: explorer.exe, 0000000B.00000000.125847133037.000000000D094000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com/?ocid=iehp |
Source: explorer.exe, 0000000B.00000000.125847133037.000000000D094000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com/?ocid=iehpA |
Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp |
Source: explorer.exe, 0000000B.00000000.125834112831.0000000009433000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpU |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/ |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin |
Source: explorer.exe, 0000000B.00000002.130390532984.0000000004FA5000.00000004.00000001.sdmp |
String found in binary or memory: https://www.msn.com:443/en-us/feed |
Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 4.3.Sales Order List.exe.18f3e10.3.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 4.3.Sales Order List.exe.18f3e10.7.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E1E3D |
2_2_022E1E3D |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED671 |
2_2_022ED671 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022F6B37 |
2_2_022F6B37 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EDBA3 |
2_2_022EDBA3 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED01F |
2_2_022ED01F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E3D31 |
2_2_022E3D31 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC22A |
2_2_022EC22A |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E4279 |
2_2_022E4279 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EAE56 |
2_2_022EAE56 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E42A5 |
2_2_022E42A5 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EAAA3 |
2_2_022EAAA3 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EA68C |
2_2_022EA68C |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EE295 |
2_2_022EE295 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EA691 |
2_2_022EA691 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC2E4 |
2_2_022EC2E4 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EBADD |
2_2_022EBADD |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E2ED9 |
2_2_022E2ED9 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E12D4 |
2_2_022E12D4 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EBED0 |
2_2_022EBED0 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022F2B30 |
2_2_022F2B30 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022F4F00 |
2_2_022F4F00 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB34D |
2_2_022EB34D |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB745 |
2_2_022EB745 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E5B99 |
2_2_022E5B99 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E9FE8 |
2_2_022E9FE8 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC7CD |
2_2_022EC7CD |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EBBD1 |
2_2_022EBBD1 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC024 |
2_2_022EC024 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED414 |
2_2_022ED414 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED079 |
2_2_022ED079 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB0C8 |
2_2_022EB0C8 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED8D8 |
2_2_022ED8D8 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC539 |
2_2_022EC539 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E2D33 |
2_2_022E2D33 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022F3D63 |
2_2_022F3D63 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB98D |
2_2_022EB98D |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EBD85 |
2_2_022EBD85 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022F4993 |
2_2_022F4993 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB5E0 |
2_2_022EB5E0 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED5FC |
2_2_022ED5FC |
Source: C:\ProgramData\images.exe |
Code function: 15_2_02346B37 |
15_2_02346B37 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_0233DBA3 |
15_2_0233DBA3 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_02343D63 |
15_2_02343D63 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_02334279 |
15_2_02334279 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_023342A5 |
15_2_023342A5 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_0233E295 |
15_2_0233E295 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_023312D4 |
15_2_023312D4 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_02342B30 |
15_2_02342B30 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_02344F00 |
15_2_02344F00 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_02339FE8 |
15_2_02339FE8 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_02333FD5 |
15_2_02333FD5 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_0233DBDF |
15_2_0233DBDF |
Source: C:\ProgramData\images.exe |
Code function: 15_2_0233D01F |
15_2_0233D01F |
Source: C:\ProgramData\images.exe |
Code function: 15_2_02344993 |
15_2_02344993 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_0233D5FC |
15_2_0233D5FC |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EDBA3 NtAllocateVirtualMemory, |
2_2_022EDBA3 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED01F NtWriteVirtualMemory, |
2_2_022ED01F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E3D31 NtWriteVirtualMemory,TerminateProcess, |
2_2_022E3D31 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022F6548 NtProtectVirtualMemory, |
2_2_022F6548 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC22A NtWriteVirtualMemory, |
2_2_022EC22A |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EDE40 NtAllocateVirtualMemory, |
2_2_022EDE40 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EAE56 NtWriteVirtualMemory, |
2_2_022EAE56 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EAAA3 NtWriteVirtualMemory, |
2_2_022EAAA3 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC2E4 NtWriteVirtualMemory, |
2_2_022EC2E4 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EBADD NtWriteVirtualMemory, |
2_2_022EBADD |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EBED0 NtWriteVirtualMemory, |
2_2_022EBED0 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022F4F00 NtWriteVirtualMemory,LoadLibraryA, |
2_2_022F4F00 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB34D NtWriteVirtualMemory, |
2_2_022EB34D |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB745 NtWriteVirtualMemory, |
2_2_022EB745 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC7CD NtWriteVirtualMemory, |
2_2_022EC7CD |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EBBD1 NtWriteVirtualMemory, |
2_2_022EBBD1 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC024 NtWriteVirtualMemory, |
2_2_022EC024 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB0C8 NtWriteVirtualMemory, |
2_2_022EB0C8 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED8D8 NtAllocateVirtualMemory, |
2_2_022ED8D8 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC539 NtWriteVirtualMemory, |
2_2_022EC539 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EDD13 NtAllocateVirtualMemory, |
2_2_022EDD13 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022F3D63 NtWriteVirtualMemory,LoadLibraryA, |
2_2_022F3D63 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB98D NtWriteVirtualMemory, |
2_2_022EB98D |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EBD85 NtWriteVirtualMemory, |
2_2_022EBD85 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EB5E0 NtWriteVirtualMemory, |
2_2_022EB5E0 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 4_2_0167834D Sleep,NtProtectVirtualMemory, |
4_2_0167834D |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 4_2_016780FC NtProtectVirtualMemory, |
4_2_016780FC |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 4_2_01678529 NtProtectVirtualMemory, |
4_2_01678529 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 4_2_016780F7 NtProtectVirtualMemory, |
4_2_016780F7 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_0233DBA3 NtAllocateVirtualMemory, |
15_2_0233DBA3 |
Source: C:\ProgramData\images.exe |
Code function: 15_2_0233DBDF NtAllocateVirtualMemory, |
15_2_0233DBDF |
Source: unknown |
Process created: C:\Users\user\Desktop\Sales Order List.exe "C:\Users\user\Desktop\Sales Order List.exe" |
|
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process created: C:\Users\user\Desktop\Sales Order List.exe "C:\Users\user\Desktop\Sales Order List.exe" |
|
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" |
|
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" |
|
Source: C:\ProgramData\images.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 740 |
|
Source: C:\ProgramData\images.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 772 |
|
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process created: C:\Users\user\Desktop\Sales Order List.exe "C:\Users\user\Desktop\Sales Order List.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe" |
Jump to behavior |
Source: |
Binary string: WinTypes.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000014.00000003.125904782894.0000000005CEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdb( source: WerFault.exe, 00000014.00000003.125904003059.0000000002DFC000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp |
Source: |
Binary string: coml2.pdb6H&8e source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp |
Source: |
Binary string: ntmarta.pdb( source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033173702.0000000005431000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb$H48s source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp |
Source: |
Binary string: CoreMessaging.pdb source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb( source: WerFault.exe, 00000014.00000003.125903738538.0000000002D80000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033269253.0000000005520000.00000004.00000040.sdmp |
Source: |
Binary string: oleaut32.pdb( source: WerFault.exe, 00000014.00000003.125909078051.0000000005CE0000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb( source: WerFault.exe, 00000014.00000003.125905831080.0000000005C34000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008890066.00000000033E0000.00000004.00000001.sdmp |
Source: |
Binary string: ntmarta.pdb source: WerFault.exe, 00000014.00000003.125910819500.0000000005D29000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023579033.00000000068B2000.00000004.00000001.sdmp |
Source: |
Binary string: coml2.pdb( source: WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb( source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.125900100057.0000000002D6E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.125904733671.0000000005CE6000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016753163.0000000006470000.00000004.00000001.sdmp |
Source: |
Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp |
Source: |
Binary string: TextShaping.pdb source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdbQ source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: CoreMessaging.pdb( source: WerFault.exe, 00000014.00000003.125913249873.0000000005D18000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126017165802.000000000649F000.00000004.00000001.sdmp |
Source: |
Binary string: sxs.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb( source: WerFault.exe, 00000014.00000003.125905988617.0000000005C45000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp |
Source: |
Binary string: combase.pdb( source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp |
Source: |
Binary string: CoreUIComponents.pdb( source: WerFault.exe, 00000014.00000003.125915266650.0000000005D13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022235396.0000000006499000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.125899753643.0000000002D6E000.00000004.00000001.sdmp |
Source: |
Binary string: msvcrt.pdb( source: WerFault.exe, 00000014.00000003.125905933053.0000000005C3F000.00000004.00000001.sdmp |
Source: |
Binary string: ws2_32.pdb source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb( source: WerFault.exe, 00000014.00000003.125907125589.0000000005C3A000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010636897.00000000033E6000.00000004.00000001.sdmp |
Source: |
Binary string: coml2.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018806279.000000000648C000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126008791375.00000000033D5000.00000004.00000001.sdmp |
Source: |
Binary string: WinTypes.pdb( source: WerFault.exe, 00000017.00000003.126024539923.00000000068B8000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126010047688.00000000033F1000.00000004.00000001.sdmp |
Source: |
Binary string: ws2_32.pdb8H 8 source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp |
Source: |
Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000017.00000003.126013564666.00000000033F7000.00000004.00000001.sdmp |
Source: |
Binary string: msctf.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp |
Source: |
Binary string: ,wntdll.pdb source: WerFault.exe, 00000014.00000003.125899412774.0000000002D70000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb( source: WerFault.exe, 00000017.00000003.126008696474.00000000033CA000.00000004.00000001.sdmp |
Source: |
Binary string: TextInputFramework.pdb source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126022159017.0000000006493000.00000004.00000001.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126018047691.0000000006475000.00000004.00000001.sdmp |
Source: |
Binary string: TextShaping.pdb( source: WerFault.exe, 00000014.00000003.125917002362.0000000006562000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126023187158.00000000068BD000.00000004.00000001.sdmp |
Source: |
Binary string: ws2_32.pdb( source: WerFault.exe, 00000014.00000003.125917746027.0000000005D1E000.00000004.00000001.sdmp |
Source: |
Binary string: wUxTheme.pdb( source: WerFault.exe, 00000017.00000003.126019837993.000000000613C000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32.pdb( source: WerFault.exe, 00000014.00000003.125905520713.0000000002DF6000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.125909199577.0000000005CF1000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126016848001.000000000647B000.00000004.00000001.sdmp |
Source: |
Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp |
Source: |
Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: Sales Order List.exe, 00000004.00000003.125766201878.000000001F5C1000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.125849081972.000000000EA70000.00000040.00000001.sdmp |
Source: |
Binary string: msctf.pdb( source: WerFault.exe, 00000014.00000003.125910562779.0000000005D02000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126021040208.0000000006486000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.125903704223.0000000002D7B000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009302903.0000000003351000.00000004.00000001.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.125907854720.0000000002E1D000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126010408748.00000000060E2000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb( source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.125903667098.0000000002D75000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126009250720.000000000334B000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.125928027487.0000000005268000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126012936139.000000000646A000.00000004.00000001.sdmp |
Source: |
Binary string: coml2.pdb} source: WerFault.exe, 00000017.00000003.126033336482.0000000005528000.00000004.00000040.sdmp |
Source: |
Binary string: TextInputFramework.pdb( source: WerFault.exe, 00000014.00000003.125910630742.0000000005D0D000.00000004.00000001.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.125927969397.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.126009354250.0000000003358000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.125905424783.0000000002DEB000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008630763.00000000033C4000.00000004.00000001.sdmp |
Source: |
Binary string: ole32.pdb( source: WerFault.exe, 00000014.00000003.125907817675.0000000002E17000.00000004.00000001.sdmp |
Source: |
Binary string: msvcp_win.pdb( source: WerFault.exe, 00000014.00000003.125904042199.0000000002E01000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.126008843786.00000000033DB000.00000004.00000001.sdmp |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_00404402 pushfd ; retf |
2_2_0040441F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_00403827 push es; ret |
2_2_00403829 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_004044E6 pushfd ; retf |
2_2_004044E7 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_0040A880 pushfd ; ret |
2_2_0040A894 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_0040A101 push edx; retf |
2_2_0040A10A |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_00404585 pushfd ; retf |
2_2_00404597 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_0040459A pushfd ; retf |
2_2_004045AB |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_004051BF push dword ptr [esi]; iretd |
2_2_004051C6 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_0040665E pushfd ; retf |
2_2_0040665F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_0040427A pushfd ; retf |
2_2_0040427B |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_004062C2 pushfd ; retf |
2_2_004062C3 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_0040A6C2 push ebx; retf |
2_2_0040A6CA |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_004072E2 pushfd ; retf |
2_2_0040730F |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_0040434A pushfd ; retf |
2_2_0040434B |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_00404336 pushfd ; retf |
2_2_00404347 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_0040633E pushfd ; retf |
2_2_0040634B |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_004067DF pushfd ; retf |
2_2_004067E7 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E1E3D pushad ; retn EE2Ch |
2_2_022E1D75 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED671 push 1D9AA5CFh; iretd |
2_2_022ED765 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E1698 push ebx; retn F070h |
2_2_022E183E |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E3D31 push ebp; retf 67B7h |
2_2_022E5122 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E1AD3 pushad ; retn EE2Ch |
2_2_022E1D75 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E9B0B push ebp; retf |
2_2_022E9B0C |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E5FF4 push esp; iretd |
2_2_022E5FF5 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EC7CD push 1D6C9AC2h; retn 6C9Ah |
2_2_022ECC4A |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022ED414 push 3A04CBC7h; retf |
2_2_022ED629 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E0012 push AE35C959h; retf |
2_2_022E001E |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E6479 push esp; iretd |
2_2_022E66CA |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E24F2 push 812B1A06h; ret |
2_2_022E24FD |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022E2D33 push ebp; retf 57CCh |
2_2_022E2E80 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Code function: 2_2_022EDD13 push 708CCF4Eh; iretd |
2_2_022EDF11 |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Sales Order List.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\ProgramData\images.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Shutdown Service |
Source: WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAWu |
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: vmicshutdown |
Source: WerFault.exe, 00000014.00000003.125951857336.0000000002E13000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllppsessionguid" val="00001060-0001-0011-c1a2-7ed0d8dfd701" /> |
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: Sales Order List.exe, 00000004.00000003.125872058569.000000000189B000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW- |
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V PowerShell Direct Service |
Source: explorer.exe, 0000000B.00000002.130418618344.0000000010A3B000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW2 |
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Time Synchronization Service |
Source: Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: vmicvss |
Source: Sales Order List.exe, explorer.exe, 0000000B.00000002.130418921281.0000000010A5F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.125980596864.0000000002E13000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000002.126063872302.0000000003308000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=14riMs-By6HjEY7hTtEKf9cx7RhIUcVvn |
Source: Amcache.hve.20.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Sales Order List.exe, 00000002.00000002.125548712664.00000000053D0000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877417935.0000000003310000.00000004.00000001.sdmp |
Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Data Exchange Service |
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Heartbeat Service |
Source: Sales Order List.exe, 00000002.00000002.125548774055.0000000005499000.00000004.00000001.sdmp, Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V Guest Service Interface |
Source: Sales Order List.exe, 00000002.00000002.125548712664.00000000053D0000.00000004.00000001.sdmp |
Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll |
Source: Sales Order List.exe, 00000004.00000002.125877555825.00000000033D9000.00000004.00000001.sdmp |
Binary or memory string: vmicheartbeat |