Click to jump to signature section
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Code function: 0_2_00191000 CryptUnprotectData, | 0_2_00191000 |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Code function: 0_2_00191C40 CryptSignHashA,CryptUpdateProtectedState,WinHttpTimeFromSystemTime, | 0_2_00191C40 |
Source: V6ZsDcgx4N.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: V6ZsDcgx4N.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\ | Jump to behavior |
Source: global traffic | HTTP traffic detected: POST /api/receiver/recv HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.48Content-Length: 3160Host: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.125.66.18 |
Source: unknown | HTTP traffic detected: POST /api/receiver/recv HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.48Content-Length: 3160Host: 45.125.66.18 |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: http://microsoft.co3 |
Source: Amcache.hve.4.dr | String found in binary or memory: http://upx.sf.net |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A61000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: https://45.125.66.18/ |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A2E000.00000004.00000001.00020000.00000000.sdmp, V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: https://45.125.66.18/api/receiver/recv |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: https://45.125.66.18/api/receiver/recv% |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A2E000.00000004.00000001.00020000.00000000.sdmp | String found in binary or memory: https://45.125.66.18:443/api/receiver/recv |
Source: unknown | Network traffic detected: HTTP traffic on port 49704 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49704 |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Code function: 0_2_00193D50 NtClose,NtClose, | 0_2_00193D50 |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Code function: 0_2_00191470 NtQuerySystemInformation,OpenProcess,GetCurrentProcess,DuplicateHandle,GetFileType,CloseHandle,GetCurrentProcess,DuplicateHandle,CloseHandle,FindCloseChangeNotification, | 0_2_00191470 |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Code function: 0_2_00191610 NtQueryObject,NtQueryObject, | 0_2_00191610 |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 54484 |
Source: V6ZsDcgx4N.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal76.evad.winEXE@2/5@0/1 |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Mutant created: \Sessions\1\BaseNamedObjects\082e2202-17f7-4654-a651-ac9a3778e1d7 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2556 |
Source: V6ZsDcgx4N.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: V6ZsDcgx4N.exe | ReversingLabs: Detection: 15% |
Source: V6ZsDcgx4N.exe | Virustotal: Detection: 24% |
Source: unknown | Process created: C:\Users\user\Desktop\V6ZsDcgx4N.exe "C:\Users\user\Desktop\V6ZsDcgx4N.exe" |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 54484 |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: dpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: webio.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: schannel.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: mskeyprotect.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: ncryptsslp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Section loaded: wldp.dll | Jump to behavior |
Source: V6ZsDcgx4N.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\ | Jump to behavior |
Source: C:\Users\user\Desktop\V6ZsDcgx4N.exe | File opened: C:\Users\user\AppData\Local\Adobe\ | Jump to behavior |
Source: Amcache.hve.4.dr | Binary or memory string: VMware |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.4.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.4.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.4.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.4.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A2E000.00000004.00000001.00020000.00000000.sdmp, V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.4.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.4.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523015066.0000000000A78000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAWW |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.sys |
Source: Amcache.hve.4.dr | Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.4.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.4.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.4.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.4.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.4.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.4.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523257182.0000000000FB1000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: Program Manager |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523257182.0000000000FB1000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523257182.0000000000FB1000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: Progman |
Source: V6ZsDcgx4N.exe, 00000000.00000002.2523257182.0000000000FB1000.00000002.00000001.00040000.00000000.sdmp | Binary or memory string: Progmanlock |
Source: Amcache.hve.4.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: MsMpEng.exe |