Source: | Binary string: rsaenh.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\System.pdb& source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.446729518.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.446463538.0000000000D7F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448927179.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448308862.0000000004D01000.00000004.00000001.sdmp |
Source: | Binary string: ncryptsslp.pdb sd$ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp |
Source: | Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp |
Source: | Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: C:\Users\user\Desktop\stage2.PDBx source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: System.Configuration.pdbk source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp |
Source: | Binary string: winnsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: rasapi32.pdbJ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: clr.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp |
Source: | Binary string: cryptsp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Users\user\Desktop\stage2.PDBX source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: msasn1.pdbz source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp |
Source: | Binary string: C:\Users\user\Desktop\stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp |
Source: | Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: urlmon.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: schannel.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.Core.pdbQ2 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp |
Source: | Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: mscorlib.pdb<7 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: System.Xml.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: indows.Forms.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp |
Source: | Binary string: i.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp |
Source: | Binary string: mscoree.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: ws2_32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: shlwapi.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp |
Source: | Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: nsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp |
Source: | Binary string: gpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: mscorlib.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr |
Source: | Binary string: System.Configuration.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: clrjit.pdb8Std source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: iertutil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: msasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: nsi.pdb+: source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: mscorlib.pdb source: stage2.exe, 00000001.00000002.481938339.0000000006684000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp |
Source: | Binary string: System.Configuration.ni.pdbRSDSO* source: WER14DB.tmp.dmp.26.dr |
Source: | Binary string: ncrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: secur32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.Xml.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr |
Source: | Binary string: rasadhlp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.Core.ni.pdbRSDSD source: WER14DB.tmp.dmp.26.dr |
Source: | Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: mscorlib.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: mscoreei.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp |
Source: | Binary string: (P}k0C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp |
Source: | Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: C:\Windows\mscorlib.pdbpdblib.pdbW source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.ni.pdbT3Mn source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp |
Source: | Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp |
Source: | Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp |
Source: | Binary string: .pdb! source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp |
Source: | Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp |
Source: | Binary string: dnsapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: rasapi32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: diasymreader.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: winhttp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: ntasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb6 source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: System.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: rtutils.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: fwpuclnt.pdb& id7 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr |
Source: | Binary string: clrjit.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: bcrypt.pdbF source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: rasman.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: wUxTheme.pdb4Shd source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: rasadhlp.pdbh source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: winhttp.pdb\ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: wmswsock.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: version.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: Windows.StateRepositoryPS.pdb+3 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: System.Xml.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: System.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: System.Xml.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp |
Source: | Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp |
Source: | Binary string: psapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp |
Source: | Binary string: gpapi.pdb2 ]dd source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: cldapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: System.Core.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp |
Source: | Binary string: mscoreei.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp |
Source: | Binary string: dhcpcsvc.pdbn source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp |
Source: | Binary string: wuser32.pdb>Srdn source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: System.Core.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: combase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp |
Source: | Binary string: rsaenh.pdb@ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: arkjrukCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.477704320.00000000006E2000.00000004.00000001.sdmp |
Source: | Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp |
Source: | Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp |
Source: | Binary string: System.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr |
Source: | Binary string: edputil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp |
Source: | Binary string: crypt32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: | Binary string: winnsi.pdb< gd> source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp |
Source: stage2.exe, 00000001.00000000.438989759.000000000337A000.00000004.00000001.sdmp | String found in binary or memory: http://cdn.discordapp.com |
Source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.339502555.0000000000FB3000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.426449347.0000000000DCD000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.475719266.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479105876.0000000004B86000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: powershell.exe, 0000000D.00000002.432860821.0000000009220000.00000004.00000001.sdmp | String found in binary or memory: http://crl.microsoft |
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png$ |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005 |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200 |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone |
Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.340839036.0000000004DC1000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427485435.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/ |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20 |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/ |
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o |
Source: Amcache.hve.26.dr | String found in binary or memory: http://upx.sf.net |
Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$ |
Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp | String found in binary or memory: https://cdn.discordapp.com |
Source: stage2.exe | String found in binary or memory: https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg |
Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp | String found in binary or memory: https://cdn.discordapp.com4 |
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp | String found in binary or memory: https://github.com/Pester/Pester$ |
Source: powershell.exe, 00000002.00000002.341684839.0000000005150000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.429277847.0000000004FA7000.00000004.00000001.sdmp | String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: WerFault.exe, 0000001A.00000002.478119853.0000000000DAA000.00000004.00000001.sdmp | String found in binary or memory: https://watson.telemetry) |
Source: stage2.exe, type: SAMPLE | Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: stage2.exe, type: SAMPLE | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: stage2.exe, type: SAMPLE | Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE | Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE | Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE | Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE | Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPE | Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPE | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPE | Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPE | Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score = |
Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPE | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPE | Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: 00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Source: Process Memory Space: powershell.exe PID: 7160, type: MEMORYSTR | Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28 |
Source: Process Memory Space: powershell.exe PID: 7140, type: MEMORYSTR | Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28 |