Source: Yara match |
File source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.320185486.000000000468C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: qpwx2wT5ky.exe PID: 6428, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: LaunchWinApp.exe PID: 5980, type: MEMORYSTR |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00410327 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,CryptUnprotectData, |
2_2_00410327 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0040E6DD __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, |
2_2_0040E6DD |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0040CB3A __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey, |
2_2_0040CB3A |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00428EC4 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, |
2_2_00428EC4 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00434EB9 lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA, |
2_2_00434EB9 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00429097 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, |
2_2_00429097 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0040F186 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,CryptUnprotectData, |
2_2_0040F186 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0040D1A3 __EH_prolog,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,CryptUnprotectData, |
2_2_0040D1A3 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041FC20 __EH_prolog,_strlen,CryptStringToBinaryA, |
2_2_0041FC20 |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: ktmw32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: nsi.pdb_ source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: winnsi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.473103575.00000000053B3000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: userenv.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: iphlpapi.pdbe source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: winhttp.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: gdiplus.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ws2_32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: iphlpapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: nsi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Kernel.Appcore.pdbf source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: webio.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wmswsock.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msasn1.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: sechost.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernelbase.pdb source: WerFault.exe, 00000010.00000002.502132177.0000000002F52000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: c:\TFS\DevDiv\OC-CT-Main23Rel-Dev14\src\src\Waverton\Cct.Contracts.Public\obj\VS140\Release\Release\Microsoft.VisualStudio.WindowsAzure.Contracts.2.3.pdb source: qpwx2wT5ky.exe |
Source: |
Binary string: cryptbase.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: crypt32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.1.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.1.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.1.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.1.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.1.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.1.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.1.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.166.1.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.219.236.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.219.236.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.219.236.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.219.236.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.174.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.174.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.174.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.174.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.174.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 159.223.25.220 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 159.223.25.220 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 159.223.25.220 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 159.223.25.220 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.174.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 159.223.25.220 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.174.147 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 159.223.25.220 |
Source: Yara match |
File source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.320185486.000000000468C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: qpwx2wT5ky.exe PID: 6428, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: LaunchWinApp.exe PID: 5980, type: MEMORYSTR |
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen |
Source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen |
Source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen |
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen |
Source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Raccoon stealer payload Author: ditekSHen |
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 0.3.qpwx2wT5ky.exe.46615d0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window |
Source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 0.2.qpwx2wT5ky.exe.31bbfc0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window |
Source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 0.3.qpwx2wT5ky.exe.45615b0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window |
Source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 0.2.qpwx2wT5ky.exe.3170000.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window |
Source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 0.3.qpwx2wT5ky.exe.4615610.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window |
Source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF |
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 00000000.00000002.317108118.0000000003170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window |
Source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_Raccoon author = ditekSHen, description = Raccoon stealer payload |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_017720B0 |
0_2_017720B0 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177B548 |
0_2_0177B548 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_017797A8 |
0_2_017797A8 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177784B |
0_2_0177784B |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_01775FA8 |
0_2_01775FA8 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F160 |
0_2_0177F160 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F120 |
0_2_0177F120 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F1FC |
0_2_0177F1FC |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F1BA |
0_2_0177F1BA |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F1A2 |
0_2_0177F1A2 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F0F1 |
0_2_0177F0F1 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177B53F |
0_2_0177B53F |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177B538 |
0_2_0177B538 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F512 |
0_2_0177F512 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F971 |
0_2_0177F971 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F939 |
0_2_0177F939 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_0177F9A0 |
0_2_0177F9A0 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA5280 |
0_2_06AA5280 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AAB240 |
0_2_06AAB240 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA5E10 |
0_2_06AA5E10 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA0D90 |
0_2_06AA0D90 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA8D48 |
0_2_06AA8D48 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA66A0 |
0_2_06AA66A0 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA6690 |
0_2_06AA6690 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA6648 |
0_2_06AA6648 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA4570 |
0_2_06AA4570 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA4540 |
0_2_06AA4540 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AAB230 |
0_2_06AAB230 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA5262 |
0_2_06AA5262 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA60CA |
0_2_06AA60CA |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA60DC |
0_2_06AA60DC |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AABE28 |
0_2_06AABE28 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA5E00 |
0_2_06AA5E00 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AABE18 |
0_2_06AABE18 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA6B1B |
0_2_06AA6B1B |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA19A1 |
0_2_06AA19A1 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA59E8 |
0_2_06AA59E8 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA59F8 |
0_2_06AA59F8 |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Code function: 0_2_06AA19D8 |
0_2_06AA19D8 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00424AE3 |
2_2_00424AE3 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0042B39F |
2_2_0042B39F |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0044E1E3 |
2_2_0044E1E3 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041828E |
2_2_0041828E |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00410327 |
2_2_00410327 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041C41C |
2_2_0041C41C |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0040E6DD |
2_2_0040E6DD |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0043670C |
2_2_0043670C |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0045E889 |
2_2_0045E889 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00462915 |
2_2_00462915 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00416A44 |
2_2_00416A44 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041EA4E |
2_2_0041EA4E |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0043EB1A |
2_2_0043EB1A |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041CD2C |
2_2_0041CD2C |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041ADCA |
2_2_0041ADCA |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0044AEC0 |
2_2_0044AEC0 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00448F57 |
2_2_00448F57 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0045AF13 |
2_2_0045AF13 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00410F9C |
2_2_00410F9C |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0045B033 |
2_2_0045B033 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0040F186 |
2_2_0040F186 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0040D1A3 |
2_2_0040D1A3 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00429260 |
2_2_00429260 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_004652C6 |
2_2_004652C6 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041F3F5 |
2_2_0041F3F5 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0043543D |
2_2_0043543D |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041D56F |
2_2_0041D56F |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00411675 |
2_2_00411675 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00443740 |
2_2_00443740 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00419719 |
2_2_00419719 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_004378ED |
2_2_004378ED |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0045D97C |
2_2_0045D97C |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041D901 |
2_2_0041D901 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_004219E2 |
2_2_004219E2 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0042DB88 |
2_2_0042DB88 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00437D4A |
2_2_00437D4A |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0044DD54 |
2_2_0044DD54 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0041FDB7 |
2_2_0041FDB7 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_00429E5B |
2_2_00429E5B |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0044DF86 |
2_2_0044DF86 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: 2_2_0043DF8D |
2_2_0043DF8D |
Source: qpwx2wT5ky.exe |
Binary or memory string: OriginalFilename vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000002.319124765.00000000043CB000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000000.296234840.0000000000E23000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameHospital_project.exeR vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000003.302712970.0000000004953000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameZakrytyeKupla.exe< vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000002.319540650.000000000460E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameZakrytyeKupla.exe< vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000002.319282911.00000000044EC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000002.317907078.0000000003431000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000002.320644906.0000000004717000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe, 00000000.00000003.302587573.0000000004832000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamePphG DCj.exe2 vs qpwx2wT5ky.exe |
Source: qpwx2wT5ky.exe |
Binary or memory string: OriginalFilenameHospital_project.exeR vs qpwx2wT5ky.exe |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: ktmw32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: nsi.pdb_ source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: winnsi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.473103575.00000000053B3000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: userenv.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: iphlpapi.pdbe source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: winhttp.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: gdiplus.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ws2_32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: iphlpapi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: nsi.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Kernel.Appcore.pdbf source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: webio.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wmswsock.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: msasn1.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: sechost.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.485599339.0000000005720000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.485267458.0000000005751000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernelbase.pdb source: WerFault.exe, 00000010.00000002.502132177.0000000002F52000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: c:\TFS\DevDiv\OC-CT-Main23Rel-Dev14\src\src\Waverton\Cct.Contracts.Public\obj\VS140\Release\Release\Microsoft.VisualStudio.WindowsAzure.Contracts.2.3.pdb source: qpwx2wT5ky.exe |
Source: |
Binary string: cryptbase.pdbk source: WerFault.exe, 00000010.00000003.485368691.0000000005722000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485613034.0000000005725000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: crypt32.pdb source: WerFault.exe, 00000010.00000003.485388333.0000000005728000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.485627949.0000000005728000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\qpwx2wT5ky.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware |
Source: WerFault.exe, 00000010.00000003.500364191.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.500236208.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000003.500024980.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000010.00000002.503283976.00000000053B8000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW6 |
Source: Amcache.hve.16.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware, Inc. |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: WerFault.exe, 00000010.00000002.503165059.00000000052F0000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMWARE |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware, Inc.me |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMware SVGA II |
Source: Amcache.hve.16.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMwareVBoxARun using valid operating systemUSER |
Source: Amcache.hve.16.dr |
Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMWAREESOFTWARE\VMware, Inc.\VMware Tools |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmware |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: Amcache.hve.16.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware7,1 |
Source: Amcache.hve.16.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.16.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.16.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.16.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.16.dr |
Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7 |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: qpwx2wT5ky.exe, 00000000.00000003.301171439.0000000004615000.00000004.00000800.00020000.00000000.sdmp, qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: kernel32.dll/wine_get_unix_file_nameQEMU |
Source: Amcache.hve.16.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VIRTUALBOXUSOFTWARE\Oracle\VirtualBox Guest Additions!noValueButYesKeySC:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: qpwx2wT5ky.exe, 00000000.00000003.301092646.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: InstallPathKC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\OC:\WINDOWS\system32\drivers\vmmouse.sysMC:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools |
Source: qpwx2wT5ky.exe, 00000000.00000003.301603484.0000000005962000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sys |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,Sleep,GetUserNameA,Sleep,_strlen,_strlen,StrToIntA,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,StrToIntA,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, |
2_2_0042B39F |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: EnumSystemLocalesW, |
2_2_004586D2 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: GetLocaleInfoW, |
2_2_00458CFF |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
2_2_00462E64 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: EnumSystemLocalesW, |
2_2_00463151 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: EnumSystemLocalesW, |
2_2_00463106 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: EnumSystemLocalesW, |
2_2_004631EC |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
2_2_00463277 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: GetLocaleInfoW, |
2_2_004634CA |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
2_2_004635F0 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: GetLocaleInfoW, |
2_2_004636F6 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
2_2_004637C5 |
Source: C:\Windows\SysWOW64\LaunchWinApp.exe |
Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, |
2_2_00437D4A |
Source: Yara match |
File source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.320185486.000000000468C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: qpwx2wT5ky.exe PID: 6428, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: LaunchWinApp.exe PID: 5980, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.8.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.qpwx2wT5ky.exe.468cf00.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.LaunchWinApp.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.qpwx2wT5ky.exe.468cf00.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.7.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.LaunchWinApp.exe.400000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.318536230.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308435428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.503612673.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308711684.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.309062654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.308140277.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.320185486.000000000468C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.467738406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.309415722.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.467293779.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: qpwx2wT5ky.exe PID: 6428, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: LaunchWinApp.exe PID: 5980, type: MEMORYSTR |