Click to jump to signature section
Source: 0.2.file.exe.1bc10000.3.raw.unpack | Malware Configuration Extractor: BlackGuard {"C2 url": "http://94.142.138.111"} |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: file.exe | ReversingLabs: Detection: 32% |
Source: file.exe | Virustotal: Detection: 46% | Perma Link |
Source: file.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.ni.pdbRSDSD source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.ni.pdbRSDS source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: file.PDB source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: 0C:\Windows\mscorlib.pdbG> source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb< source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Windows.Forms.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.ni.pdbRSDS source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Users\user\Desktop\file.PDBL8 source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Windows.Forms.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: mscorlib.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.410474117.00000000012CA000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: lib.pdb.0 source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.ni.pdbRSDS] source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdba5c5 source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp |
Source: Amcache.hve.3.dr | String found in binary or memory: http://upx.sf.net |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: file.exe, VK/Program.cs | Large array initialization: GlobaLeess: array initializer size 3484704 |
Source: file.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: file.exe, 00000000.00000002.410474117.0000000001279000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs file.exe |
Source: file.exe | Binary or memory string: OriginalFilenamePython ConsoleB vs file.exe |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3360 -s 944 |
Source: file.exe | ReversingLabs: Detection: 32% |
Source: file.exe | Virustotal: Detection: 46% |
Source: file.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: file.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% | |
Source: C:\Users\user\Desktop\file.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3360 -s 944 |
Source: C:\Users\user\Desktop\file.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3360 |
Source: C:\Windows\System32\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C19.tmp | Jump to behavior |
Source: classification engine | Classification label: mal88.troj.evad.winEXE@2/5@0/1 |
Source: C:\Windows\System32\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll | Jump to behavior |
Source: file.exe | Static file information: File size 3661312 > 1048576 |
Source: file.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: file.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: file.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x353c00 |
Source: file.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.ni.pdbRSDSD source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.ni.pdbRSDS source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: file.PDB source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: 0C:\Windows\mscorlib.pdbG> source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb< source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Windows.Forms.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.ni.pdbRSDS source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Users\user\Desktop\file.PDBL8 source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Windows.Forms.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: mscorlib.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: \??\C:\Windows\mscorlib.pdb source: file.exe, 00000000.00000002.410474117.00000000012CA000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.Core.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: lib.pdb.0 source: file.exe, 00000000.00000002.410443620.0000000000FA4000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: mscorlib.ni.pdbRSDS] source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: System.ni.pdb source: WER7C19.tmp.dmp.3.dr |
Source: | Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdba5c5 source: file.exe, 00000000.00000002.410474117.0000000001317000.00000004.00000020.00020000.00000000.sdmp |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: file.exe, VK/Program.cs | .Net Code: Ehti System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: file.exe, VK/Program.cs | .Net Code: Ehti |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Amcache.hve.3.dr | Binary or memory string: VMware |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.3.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.3.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.3.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.3.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.3.dr | Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7 |
Source: Amcache.hve.3.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.3.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.3.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Users\user\Desktop\file.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Amcache.hve.3.dr | Binary or memory string: c:\users\user\desktop\procexp.exe |
Source: Amcache.hve.3.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.3.dr | Binary or memory string: procexp.exe |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.1bc10000.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.13ebcb40.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.file.exe.134c4648.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.414643984.000000001BC10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.410785101.0000000013171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |