Click to jump to signature section
Source: 0.2.file.exe.1377cb40.1.raw.unpack | Malware Configuration Extractor: BlackGuard {"C2 url": "http://94.142.138.111"} |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: file.exe | ReversingLabs: Detection: 32% |
Source: file.exe | Virustotal: Detection: 44% | Perma Link |
Source: file.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: System.Core.ni.pdbRSDSD source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbes> source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: lib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: uC:\Users\user\Desktop\file.PDBp source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.pdbSystem.Windows.Forms.dll source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbtpHa Ql source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: file.PDBx source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.Core.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.Windows.Forms.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: lib.pdb.00 source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: C:\Users\user\Desktop\file.PDBu source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: mscorlib.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: mscorlib.ni.pdbRSDS] source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: 0C:\Windows\mscorlib.pdbG>_& source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb- source: WER68D7.tmp.dmp.3.dr |
Source: Amcache.hve.3.dr | String found in binary or memory: http://upx.sf.net |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: file.exe, VK/Program.cs | Large array initialization: GlobaLeess: array initializer size 3484704 |
Source: file.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: file.exe, 00000000.00000002.424893653.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs file.exe |
Source: file.exe | Binary or memory string: OriginalFilenamePython ConsoleB vs file.exe |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5788 -s 944 |
Source: file.exe | ReversingLabs: Detection: 32% |
Source: file.exe | Virustotal: Detection: 44% |
Source: file.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: file.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% | |
Source: C:\Users\user\Desktop\file.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5788 -s 944 |
Source: C:\Users\user\Desktop\file.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5788 |
Source: C:\Windows\System32\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER68D7.tmp | Jump to behavior |
Source: classification engine | Classification label: mal88.troj.evad.winEXE@2/5@0/0 |
Source: C:\Windows\System32\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll | Jump to behavior |
Source: file.exe | Static file information: File size 3491840 > 1048576 |
Source: file.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: file.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: file.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x353c00 |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: System.Core.ni.pdbRSDSD source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbes> source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: lib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: uC:\Users\user\Desktop\file.PDBp source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.pdbSystem.Windows.Forms.dll source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbtpHa Ql source: file.exe, 00000000.00000002.424893653.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.ni.pdbRSDS source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: file.PDBx source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.Core.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.Windows.Forms.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: lib.pdb.00 source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: C:\Users\user\Desktop\file.PDBu source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Drawing.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: mscorlib.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.424893653.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: mscorlib.ni.pdbRSDS] source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: System.ni.pdb source: WER68D7.tmp.dmp.3.dr |
Source: | Binary string: 0C:\Windows\mscorlib.pdbG>_& source: file.exe, 00000000.00000002.424791106.0000000000754000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb- source: WER68D7.tmp.dmp.3.dr |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: file.exe, VK/Program.cs | .Net Code: Ehti System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: file.exe, VK/Program.cs | .Net Code: Ehti |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Amcache.hve.3.dr | Binary or memory string: VMware |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.3.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.3.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71 |
Source: Amcache.hve.3.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g |
Source: C:\Users\user\Desktop\file.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Amcache.hve.3.dr | Binary or memory string: msmpeng.exe |
Source: Amcache.hve.3.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.12d84648.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1377cb40.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1b2d0000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.425285473.000000001377C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.429161475.000000001B2D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.425285473.0000000012A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |