Windows Analysis Report
Launcher_x32_x64.exe

Overview

General Information

Sample name: Launcher_x32_x64.exe
Analysis ID: 1502259
MD5: 3934bed89091117678e2f202033fa78a
SHA1: 97ee80d1b44aea7711a4465d902119965d4c3c94
SHA256: 1d03b3ff5866b8064fc703327278785e0e582aa46e79eecad9c4a7fff1ad0a90
Tags: exelumma
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: locatedblsoqp.shop URL Reputation: Label: phishing
Source: locatedblsoqp.shop URL Reputation: Label: phishing
Source: traineiwnqo.shop URL Reputation: Label: malware
Source: https://locatedblsoqp.shop/api URL Reputation: Label: malware
Source: caffegclasiqwp.shop URL Reputation: Label: malware
Source: millyscroqwp.shop URL Reputation: Label: malware
Source: condedqpwqm.shop URL Reputation: Label: phishing
Source: stagedchheiqwo.shop URL Reputation: Label: phishing
Source: stamppreewntnq.shop URL Reputation: Label: phishing
Source: https://tenseddrywsqio.shop/api Avira URL Cloud: Label: malware
Source: https://instructorledlearning.dropboxbusiness.com/ Avira URL Cloud: Label: phishing
Found malware configuration
Source: 3.2.BitLockerToGo.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["tenseddrywsqio.shop", "evoliutwoqm.shop", "traineiwnqo.shop", "locatedblsoqp.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "caffegclasiqwp.shop", "millyscroqwp.shop", "stamppreewntnq.shop"], "Build id": "LPnhqo--nlczjrpfwadf"}
Multi AV Scanner detection for domain / URL
Source: tenseddrywsqio.shop Virustotal: Detection: 14% Perma Link
Source: tenseddrywsqio.shop Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Windows\Temp\4ud5if5k.0ze.exe ReversingLabs: Detection: 21%
Multi AV Scanner detection for submitted file
Source: Launcher_x32_x64.exe Virustotal: Detection: 10% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: caffegclasiqwp.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: stamppreewntnq.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: stagedchheiqwo.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: millyscroqwp.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: evoliutwoqm.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: condedqpwqm.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: traineiwnqo.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: locatedblsoqp.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: tenseddrywsqio.shop
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String decryptor: LPnhqo--nlczjrpfwadf
Uses 32bit PE files
Source: Launcher_x32_x64.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.93:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: Launcher_x32_x64.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: System.Net.Sockets.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1833876636.000000000E4A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1833941119.000000000E521000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Annotations\Release\net8.0\System.ComponentModel.Annotations.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdbSHA256y source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes\Release\net8.0-windows\System.IO.Pipes.pdbSHA256T source: Launcher_x32_x64.exe
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1821619144.000000000CE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Immutable\Release\net8.0\System.Collections.Immutable.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.MemoryMappedFiles.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Data/Release/net8.0-windows/System.Data.pdbSHA256> source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x86\Release\System.Private.CoreLib.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Formats.Tar.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256^ source: Launcher_x32_x64.exe, 00000000.00000002.1834219419.000000000E610000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1823830750.000000000D011000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1822713713.000000000CFD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.FileVersionInfo.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.Specialized.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.NonGeneric.ni.pdb@- source: Launcher_x32_x64.exe
Source: Binary string: BitLockerToGo.pdb source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003F4C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1882156226.0000000002F15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832370982.000000000D2C1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TextWriterTraceListener\Release\net8.0\System.Diagnostics.TextWriterTraceListener.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.UnmanagedMemoryStream/Release/net8.0-windows/System.IO.UnmanagedMemoryStream.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.Primitives/Release/net8.0-windows/System.IO.FileSystem.Primitives.pdbSHA256C source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Runtime.Serialization/Release/net8.0-windows/System.Runtime.Serialization.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Threading.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832370982.000000000D2C1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdbSHA256T/ source: Launcher_x32_x64.exe
Source: Binary string: System.Private.CoreLib.ni.pdbd source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832613932.000000000D6A1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdbSHA256d source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdbSHA256f source: Launcher_x32_x64.exe
Source: Binary string: System.Drawing.Primitives.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.Annotations.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.Concurrent.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO/Release/net8.0-windows/System.IO.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net8.0-windows/Microsoft.VisualBasic.pdbSHA256P source: Launcher_x32_x64.exe
Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Tar\Release\net8.0-windows\System.Formats.Tar.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.Compression.ZipFile.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdbSHA256(^e source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Linq.Expressions.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834088849.000000000E5B0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Memory.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832707797.000000000D6F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832665993.000000000D6C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834219419.000000000E610000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.IO.Pipes.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Core/Release/net8.0-windows/System.Core.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.IsolatedStorage.ni.pdbz source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes\Release\net8.0-windows\System.IO.Pipes.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Security.ni.pdb2 source: Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.MemoryMappedFiles\Release\net8.0-windows\System.IO.MemoryMappedFiles.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.Brotli\Release\net8.0-windows\System.IO.Compression.Brotli.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832613932.000000000D6A1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.StackTrace\Release\net8.0\System.Diagnostics.StackTrace.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.Net.NameResolution.ni.pdbu? source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Formats.Asn1.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256l8 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Watcher\Release\net8.0-windows\System.IO.FileSystem.Watcher.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.FileSystem/Release/net8.0-windows/System.IO.FileSystem.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Console.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1833876636.000000000E4A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1833941119.000000000E521000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834316222.000000000E800000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.IO.Pipes.ni.pdb? source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Core/Release/net8.0-windows/System.Core.pdbSHA2564- source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Http.ni.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.StackTrace.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.Specialized.ni.pdbI source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdbSHA256R source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.ZipFile\Release\net8.0-windows\System.IO.Compression.ZipFile.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net8.0-windows/Microsoft.VisualBasic.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.Compression.ZipFile.ni.pdb(Qw source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1834316222.000000000E800000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Globalization/Release/net8.0-windows/System.Globalization.pdbSHA256& source: Launcher_x32_x64.exe
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.ComponentModel.DataAnnotations/Release/net8.0-windows/System.ComponentModel.DataAnnotations.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.Compression.Brotli.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: \Desktop\ProjectLoader\Project\obj\Release\net8.0\win-x86\Project.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.ni.pdb_ source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256?) source: Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Diagnostics.TextWriterTraceListener.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Private.CoreLib.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Globalization.Extensions/Release/net8.0-windows/System.Globalization.Extensions.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Annotations\Release\net8.0\System.ComponentModel.Annotations.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\Release\net8.0-windows\Microsoft.CSharp.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\Release\net8.0-windows\System.IO.FileSystem.AccessControl.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Globalization.Extensions/Release/net8.0-windows/System.Globalization.Extensions.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Drawing/Release/net8.0-windows/System.Drawing.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Threading.ni.pdb_ source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832370982.000000000D2C1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Data/Release/net8.0-windows/System.Data.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1832707797.000000000D6F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832665993.000000000D6C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832707797.000000000D6F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832665993.000000000D6C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.StackTrace\Release\net8.0\System.Diagnostics.StackTrace.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.Immutable.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO/Release/net8.0-windows/System.IO.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.FileSystem/Release/net8.0-windows/System.IO.FileSystem.pdbSHA256!"u source: Launcher_x32_x64.exe
Source: Binary string: System.Net.NameResolution.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: \Desktop\ProjectLoader\Project\obj\Release\net8.0\win-x86\Project.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Primitives/Release/net8.0-windows/System.Security.Cryptography.Primitives.pdbSHA256& source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256I source: Launcher_x32_x64.exe, 00000000.00000002.1834088849.000000000E5B0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: Microsoft.CSharp.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdbSHA256dXf source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\Release\net8.0-windows\System.IO.IsolatedStorage.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.TypeConverter.ni.pdbV@ source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Security.Principal.Windows.ni.pdbf source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Private.Uri.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1823830750.000000000D011000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1822713713.000000000CFD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdbSHA256ENA source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Globalization/Release/net8.0-windows/System.Globalization.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.Primitives/Release/net8.0-windows/System.IO.FileSystem.Primitives.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Diagnostics.StackTrace.ni.pdbAM source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Asn1\Release\net8.0\System.Formats.Asn1.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\Release\net8.0-windows\System.IO.IsolatedStorage.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.IO.Compression.ni.pdb: source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Primitives/Release/net8.0-windows/System.Security.Cryptography.Primitives.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.IO.Compression.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Security.Cryptography.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1821619144.000000000CE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Runtime.Serialization/Release/net8.0-windows/System.Runtime.Serialization.pdbSHA256y source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\Release\net8.0\System.Data.Common.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.TypeConverter.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Primitives.ni.pdbS source: Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: Microsoft.CSharp.ni.pdb^L[T source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Asn1\Release\net8.0\System.Formats.Asn1.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.IO.IsolatedStorage.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Drawing/Release/net8.0-windows/System.Drawing.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256M source: Launcher_x32_x64.exe
Source: Binary string: BitLockerToGo.pdbGCTL source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003F4C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1882156226.0000000002F15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Formats.Asn1.ni.pdbd source: Launcher_x32_x64.exe
Source: Binary string: System.IO.FileSystem.Watcher.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.MemoryMappedFiles\Release\net8.0-windows\System.IO.MemoryMappedFiles.pdbSHA256? source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Http.ni.pdb,U source: Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.Data.Common.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.UnmanagedMemoryStream/Release/net8.0-windows/System.IO.UnmanagedMemoryStream.pdbSHA256#N source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdbSHA256Bs source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.ComponentModel.DataAnnotations/Release/net8.0-windows/System.ComponentModel.DataAnnotations.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Primitives.ni.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.FileVersionInfo\Release\net8.0-windows\System.Diagnostics.FileVersionInfo.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.ZipFile\Release\net8.0-windows\System.IO.Compression.ZipFile.pdbSHA256X source: Launcher_x32_x64.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_004321F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_004323E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_00419040
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [ecx+esi*2] 3_2_0042D070
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 3_2_00434030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000280h] 3_2_0040D0D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_004208E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [eax], dl 3_2_0040D978
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 3_2_00434110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 3_2_00434110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx esi, byte ptr [edx+eax-01h] 3_2_004089F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [ebx], 00000022h 3_2_00420980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [ebx] 3_2_00435990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_00413A4A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then add edi, 02h 3_2_00413A4A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 3_2_0041FACE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0041FACE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 3_2_00435280
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 3_2_00403290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp] 3_2_004312A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+1Ch] 3_2_0040B310
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [esi], cx 3_2_0041BB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [ecx] 3_2_0041BB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, dword ptr [esp+40h] 3_2_0041BB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, 00008000h 3_2_004043C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 84AA3BD1h 3_2_004353C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_0043238A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [ebp-1Ch] 3_2_00433BA8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 3_2_00433C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 3_2_00434450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 3_2_004324BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_00429540
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [ebp-1Ch] 3_2_004335D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 3_2_00418DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 3_2_0040FDEB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebp, eax 3_2_0041EDFE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 3_2_00433D90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esi+08h], eax 3_2_004235B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], al 3_2_004235B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [edi], dl 3_2_004235B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 3_2_0042F6F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [eax+edx] 3_2_00431E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov esi, dword ptr [esp] 3_2_00433F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 3_2_00412F50
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp cl, 0000002Eh 3_2_0041D752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov byte ptr [ecx], al 3_2_00414770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 3_2_00412FA0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+000000B0h] 3_2_0040F7AA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea ebx, dword ptr [esp+08h] 3_2_0041F7B2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 3_2_004197B7

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:54383 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:51944 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49740 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 172.67.209.93:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 172.67.209.93:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49740 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 188.114.97.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: tenseddrywsqio.shop
Source: Malware configuration extractor URLs: evoliutwoqm.shop
Source: Malware configuration extractor URLs: traineiwnqo.shop
Source: Malware configuration extractor URLs: locatedblsoqp.shop
Source: Malware configuration extractor URLs: stagedchheiqwo.shop
Source: Malware configuration extractor URLs: condedqpwqm.shop
Source: Malware configuration extractor URLs: caffegclasiqwp.shop
Source: Malware configuration extractor URLs: millyscroqwp.shop
Source: Malware configuration extractor URLs: stamppreewntnq.shop
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /scl/fi/zggrbdmbru8wwpp19fnal/Launcher.exe?rlkey=oyhv29cvxml0f5jh9a6ijy93p&st=su8clvok&dl=1 HTTP/1.1Host: www.dropbox.com
Source: global traffic HTTP traffic detected: GET /cd/0/get/CZuc7lbOcorcPO1KnxZRm4I-EZZJmX4CAtKb51Ff50K-MBU4Nlue9UTG2pSEpIIqdE9VtxyEjty_TXqZ6fmGkkyezkdESSzw2JVLLryoStBMg9uHfHjByfogdOWZUZ_u2nqNaED64BuzF6YgGT3bVBkI/file?dl=1 HTTP/1.1Host: uc65f56b62827632faafd635f90d.dl.dropboxusercontent.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.125.66.18 162.125.66.18
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 162.125.66.15 162.125.66.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 162.125.66.15:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49730 -> 162.125.66.18:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tenseddrywsqio.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=IAk_vZghbJqabKehgfKUmHgpPk7AWGGsinz4AYZdsUk-1725131904-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: traineiwnqo.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /scl/fi/zggrbdmbru8wwpp19fnal/Launcher.exe?rlkey=oyhv29cvxml0f5jh9a6ijy93p&st=su8clvok&dl=1 HTTP/1.1Host: www.dropbox.com
Source: global traffic HTTP traffic detected: GET /cd/0/get/CZuc7lbOcorcPO1KnxZRm4I-EZZJmX4CAtKb51Ff50K-MBU4Nlue9UTG2pSEpIIqdE9VtxyEjty_TXqZ6fmGkkyezkdESSzw2JVLLryoStBMg9uHfHjByfogdOWZUZ_u2nqNaED64BuzF6YgGT3bVBkI/file?dl=1 HTTP/1.1Host: uc65f56b62827632faafd635f90d.dl.dropboxusercontent.com
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; font-src https://* data: ; frame-ancestors 'self' https://*.dropbox.com ; base-uri 'self' ; img-src https://* data: blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; media-src https://* blob: equals www.yahoo.com (Yahoo)
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fault-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; font-src https://* data: ; frame-ancestors 'self' https://*.dropbox.com ; base-uri 'self' ; img-src https://* data: blob: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; media-src https://* blob:$! equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic DNS traffic detected: DNS query: uc65f56b62827632faafd635f90d.dl.dropboxusercontent.com
Source: global traffic DNS traffic detected: DNS query: tenseddrywsqio.shop
Source: global traffic DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic DNS traffic detected: DNS query: traineiwnqo.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tenseddrywsqio.shop
Source: Launcher_x32_x64.exe String found in binary or memory: http://.css
Source: Launcher_x32_x64.exe String found in binary or memory: http://.jpg
Source: Launcher_x32_x64.exe String found in binary or memory: http://html4/loose.dtd
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://uc65f56b62827632faafd635f90d.dl.dropboxusercontent.com:443/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://a.sprig.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/gsi/client
Source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/binaryformatter
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet-core-applaunch?GetWindowsDirectory
Source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817950421.0000000009F64000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.000000000936A000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817950421.0000000009F64000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.000000000936A000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.0000000009F64000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.000000000936A000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failedFramework:
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/download
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/downloadInstall
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/info
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/sdk-not-foundFailed
Source: Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000F231000.00000004.00001000.00020000.00000000.sdmp, 4ud5if5k.0ze.exe, 00000001.00000000.1813573976.0000000000D9D000.00000002.00000001.01000000.00000005.sdmp, 4ud5if5k.0ze.exe.0.dr String found in binary or memory: https://api.loganalytics.iohttps://api.loganalytics.usencountered
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://api.login.yahoo.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://app.hellofax.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://app.hellosign.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://canny.io/sdk.js
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000F231000.00000004.00001000.00020000.00000000.sdmp, 4ud5if5k.0ze.exe, 00000001.00000000.1813573976.0000000000D9D000.00000002.00000001.01000000.00000005.sdmp, 4ud5if5k.0ze.exe.0.dr String found in binary or memory: https://datalake.azure.net/https://graph.microsoft.us/servicebus.chinacloudapi.cndocuments.microsoft
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://dl-web.dropbox.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/fsip/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docsend.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://experience.dropbox.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000F231000.00000004.00001000.00020000.00000000.sdmp, 4ud5if5k.0ze.exe, 00000001.00000000.1813573976.0000000000D9D000.00000002.00000001.01000000.00000005.sdmp, 4ud5if5k.0ze.exe.0.dr String found in binary or memory: https://gallery.usgovcloudapi.net/mariadb.database.usgovcloudapi.netdev.azuresynapse.usgovcloudapi.n
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtime
Source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtime/issues/50821
Source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtime7
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtime;
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtime?
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtimeI_#
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtime_
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtimeab
Source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/dotnet/runtimef
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtimeiT
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtimer
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/dotnet/runtimev
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/mono/linker/issues/1187
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/mono/linker/issues/1416.
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/mono/linker/issues/1731
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/mono/linker/issues/1895v
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/mono/linker/issues/1906.
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/mono/linker/issues/1981
Source: Launcher_x32_x64.exe String found in binary or memory: https://github.com/mono/linker/issues/378
Source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp String found in binary or memory: https://github.com/mono/linker/pull/649
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://help.dropbox.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000F231000.00000004.00001000.00020000.00000000.sdmp, 4ud5if5k.0ze.exe, 00000001.00000000.1813573976.0000000000D9D000.00000002.00000001.01000000.00000005.sdmp, 4ud5if5k.0ze.exe.0.dr String found in binary or memory: https://login.microsoftonline.com/METRIC_AZURERM_API_REQUEST_BUCKETSlabel
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.yahoo.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000F231000.00000004.00001000.00020000.00000000.sdmp, 4ud5if5k.0ze.exe, 00000001.00000000.1813573976.0000000000D9D000.00000002.00000001.01000000.00000005.sdmp, 4ud5if5k.0ze.exe.0.dr String found in binary or memory: https://management.azure.comfailed
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://navi.dropbox.jp/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://officeapps-df.live.com
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://officeapps.live.com
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/picker
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000F231000.00000004.00001000.00020000.00000000.sdmp, 4ud5if5k.0ze.exe, 00000001.00000000.1813573976.0000000000D9D000.00000002.00000001.01000000.00000005.sdmp, 4ud5if5k.0ze.exe.0.dr String found in binary or memory: https://ossrdbms-aad.database.chinacloudapi.cned25519:
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pal-test.adyen.com
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://paper.dropbox.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://photos.dropbox.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sales.dropboxbusiness.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://showcase.dropbox.com/
Source: BitLockerToGo.exe, 00000003.00000002.1925229586.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/api
Source: BitLockerToGo.exe, 00000003.00000002.1925229586.0000000002F1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://traineiwnqo.shop/apij
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://uc65f56b62827632faafd635f90d.dl.dropboxusercontent.com/cd/0/get/CZuc7lbOcorcPO1KnxZRm4I-EZZJ
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000F231000.00000004.00001000.00020000.00000000.sdmp, 4ud5if5k.0ze.exe, 00000001.00000000.1813573976.0000000000D9D000.00000002.00000001.01000000.00000005.sdmp, 4ud5if5k.0ze.exe.0.dr String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comNtQuerySystemInformationAllo
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000F231000.00000004.00001000.00020000.00000000.sdmp, 4ud5if5k.0ze.exe, 00000001.00000000.1813573976.0000000000D9D000.00000002.00000001.01000000.00000005.sdmp, 4ud5if5k.0ze.exe.0.dr String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: BitLockerToGo.exe, 00000003.00000003.1914096343.0000000002FA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000003.00000002.1925229586.0000000002F25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.docsend.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/page_success/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/pithos/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/playlist/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A71000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/scl/fi/zggrbdmbru8wwpp19fnal/Launcher.exe?rlkey=oyhv29cvxml0f5jh9a6ijy93p&st
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/static/api/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropboxstatic.com/static/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.hellofax.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.hellosign.com/
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.paypal.com/sdk/js
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.209.93:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004292F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004292F0
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004292F0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_004292F0
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00421460 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 3_2_00421460

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.1894150698.0000000003C9E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Detected potential crypto function
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00F431A0 0_2_00F431A0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_01289570 0_2_01289570
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_010CA630 0_2_010CA630
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00F09B10 0_2_00F09B10
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_010C5F00 0_2_010C5F00
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00F12060 0_2_00F12060
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00FDC060 0_2_00FDC060
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0113F1A0 0_2_0113F1A0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00ED3390 0_2_00ED3390
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0114A440 0_2_0114A440
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_01093490 0_2_01093490
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0114B4F0 0_2_0114B4F0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0114B770 0_2_0114B770
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00EF7680 0_2_00EF7680
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0131A780 0_2_0131A780
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_01323650 0_2_01323650
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00FD7810 0_2_00FD7810
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00FF4900 0_2_00FF4900
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_01143B20 0_2_01143B20
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00F4CAB0 0_2_00F4CAB0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0114BAC0 0_2_0114BAC0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00ED7C10 0_2_00ED7C10
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0113AC70 0_2_0113AC70
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00E8EEE0 0_2_00E8EEE0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_01105E10 0_2_01105E10
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_01038E70 0_2_01038E70
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_01148EB0 0_2_01148EB0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00EF2F10 0_2_00EF2F10
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADDE9D0 0_2_0ADDE9D0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADCCCB0 0_2_0ADCCCB0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD9CC00 0_2_0AD9CC00
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADC8C20 0_2_0ADC8C20
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADA5040 0_2_0ADA5040
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD93BB0 0_2_0AD93BB0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADBABB0 0_2_0ADBABB0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADBBB20 0_2_0ADBBB20
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD9A8E0 0_2_0AD9A8E0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADD6910 0_2_0ADD6910
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD88FD0 0_2_0AD88FD0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD93F90 0_2_0AD93F90
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD9BF30 0_2_0AD9BF30
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD88C30 0_2_0AD88C30
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADB8D20 0_2_0ADB8D20
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADAB290 0_2_0ADAB290
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADBA0B0 0_2_0ADBA0B0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADB4600 0_2_0ADB4600
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADED410 0_2_0ADED410
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0ADC45E0 0_2_0ADC45E0
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD99540 0_2_0AD99540
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF38840 0_2_0AF38840
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0CA9A950 0_2_0CA9A950
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0CBB62A0 0_2_0CBB62A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004321F0 3_2_004321F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0040C223 3_2_0040C223
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004323E3 3_2_004323E3
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0042D702 3_2_0042D702
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00404000 3_2_00404000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041F011 3_2_0041F011
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00434030 3_2_00434030
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0042C890 3_2_0042C890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0040D978 3_2_0040D978
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0040B900 3_2_0040B900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00434110 3_2_00434110
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004061F0 3_2_004061F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004089F0 3_2_004089F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00420980 3_2_00420980
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00435990 3_2_00435990
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00413A4A 3_2_00413A4A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0040E20B 3_2_0040E20B
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041CA10 3_2_0041CA10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00419A1F 3_2_00419A1F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00407A30 3_2_00407A30
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00401AD5 3_2_00401AD5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041D290 3_2_0041D290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041BB22 3_2_0041BB22
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041A330 3_2_0041A330
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004043C0 3_2_004043C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004353C0 3_2_004353C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0043238A 3_2_0043238A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00433BA8 3_2_00433BA8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00433C40 3_2_00433C40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00434450 3_2_00434450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00402410 3_2_00402410
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00414420 3_2_00414420
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00411CDA 3_2_00411CDA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004324BC 3_2_004324BC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041AD70 3_2_0041AD70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004335D2 3_2_004335D2
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00404DE0 3_2_00404DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041EDFE 3_2_0041EDFE
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00433D90 3_2_00433D90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004235B0 3_2_004235B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00420E60 3_2_00420E60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0040FE01 3_2_0040FE01
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00401618 3_2_00401618
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00406ED0 3_2_00406ED0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00407EE0 3_2_00407EE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00431E80 3_2_00431E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004096A0 3_2_004096A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_004356B0 3_2_004356B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00433F40 3_2_00433F40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0041D752 3_2_0041D752
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0040CF60 3_2_0040CF60
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00414770 3_2_00414770
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00431710 3_2_00431710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00405780 3_2_00405780
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 00409CD0 appears 87 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 004093E0 appears 38 times
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: String function: 00F4CAB0 appears 55 times
PE file contains executable resources (Code or Archives)
Source: Launcher_x32_x64.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilename vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1833876636.000000000E4A0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832992884.000000000D821000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1833941119.000000000E521000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832707797.000000000D6F1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Memory.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832824855.000000000D771000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832457094.000000000D2E0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1837314525.00000000117B0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1835804518.000000000FD63000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLauncher!.exe pP vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834219419.000000000E610000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832665993.000000000D6C0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Memory.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1823830750.000000000D011000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.X509Certificates.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832613932.000000000D6A1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1837163704.0000000011700000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.FileVersionInfo.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1837163704.0000000011700000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: get_OriginalFilename vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1837163704.0000000011700000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: _originalFilename vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1837163704.0000000011700000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: <GetFileVersionInfoEx>g____PInvoke|2_0<GetFileVersionInfoSizeEx>g____PInvoke|3_0<VerQueryValue>g____PInvoke|4_0Span`1Kernel32UInt32<Module>HIWORDLOWORDVS_FIXEDFILEINFOSystem.IOdwFileDateLSdwFileVersionLSdwProductVersionLSdwFileDateMSdwFileVersionMSdwProductVersionMSdwFileOSVerLanguageNameWVerQueryValueWGetFileVersionInfoSizeExWGetFileVersionInfoExWlpDataAllocget_IsPatched_isPatchedIsPathFullyQualifiedAppendFormatted_fileBuildget_PrivateBuildget_IsPrivateBuild_isPrivateBuild_privateBuildget_SpecialBuildget_IsSpecialBuild_isSpecialBuild_specialBuild_productBuildAppenddwordGetPinnableReferenceFreeUnsafeGetLanguageAndCodePageGetVersionInfoForCodePagecodepageget_LanguageGetFileVersionLanguage_languagelpdwHandleFileVerLanguageNameget_FileName_fileNameget_InternalName_internalNameget_ProductName_productNameget_CompanyName_companyNameget_OriginalFilename_originalFilenamelpwstrFilenameSystem.RuntimeAppendLinedwFileTypeValueTypedwFileSubtypedwSignatureget_IsPreRelease_isPreReleaseCreate_filePrivate_productPrivateAssemblyMetadataAttributeCompilerGeneratedAttributeGeneratedCodeAttributeNeutralResourcesLanguageAttributeDebuggableAttributeNullableAttributeAssemblyTitleAttributeDisableRuntimeMarshallingAttributeTargetFrameworkAttributeSupportedOSPlatformAttributeInAttributeAssemblyFileVersionAttributeAssemblyInformationalVersionAttributeAssemblyDescriptionAttributeAssemblyDefaultAliasAttributeRefSafetyRulesAttributeDefaultDllImportSearchPathsAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeSkipLocalsInitAttributeCLSCompliantAttributeLibraryImportAttributeNullableContextAttributeNullablePublicOnlyAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeVerQueryValue__lpData_native__dwHandle_native__lpdwHandle_native__lpwstrFilename_native__lpSubBlock_native__pBlock_native__puLen_native__dwLen_native__lplpBuffer_native__dwFlags_nativecchLangwLangszLangSystem.Runtime.InteropServices.MarshallingSystem.Runtime.VersioningGetFileVersionStringToStringget_IsDebug_isDebugDllImportSearchPathGetFullPathPtrToStringUnilpSubBlockpBlockdwFileFlagsMaskMarshalAppendLiteralkernel32.dllversion.dllSystem.Diagnostics.FileVersionInfo.dllILLink.Substitutions.xmlSystemBooleanpuLendwLendwStrucVersionget_FileVersion_fileVersionget_ProductVersion_productVersionSystem.ReflectionFileNotFoundExceptionget_FileDescription_fileDescriptionGetFixedFileInfoSystem.Diagnostics.FileVersionInfoGetVersionInfoInteropIFormatProviderStringBuilderlplpBufferDefaultInterpolatedStringHandlerSystem.CodeDom.CompilerUtf16StringMarshaller_fileMajor_productMajor_fileMinor_productMinor.ctormemPtrmemIntPtrSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesFxResources.System.Diagnostics.FileVersionInfo.SR.resourcesDebuggingModesdwFileFlagsdwFlagsget_LegalTrademarks_legalTrademarksget_Comments_commentsExistsObjectget_LegalCopyright_legalCopyrightSkipInitget_FileBuildPartget_ProductBuildPartget_FilePrivatePartget_ProductPrivatePar
Source: Launcher_x32_x64.exe, 00000000.00000002.1837163704.0000000011700000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: \\InternalName!\\LegalCopyright%\\OriginalFilename vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1837163704.0000000011700000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1817127137.0000000008AF1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1815899742.00000000014C3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemscordaccore.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1815899742.00000000014C3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameProject.dll0 vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1819627875.000000000AD00000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameProject.dll0 vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1821619144.000000000CE01000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.RuntimeInformation.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1820769827.000000000CA91000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832777393.000000000D720000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1820697643.000000000CA20000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Debug.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1820697643.000000000CA20000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834088849.000000000E5B0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832943278.000000000D7D0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Buffers.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832943278.000000000D7D0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1816814378.0000000005A8C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLauncher!.exe pP vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1837223963.0000000011761000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1822713713.000000000CFD0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1816948051.0000000006A71000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLauncher!.exe pP vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.Serialization.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.Timer.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834473504.000000000EA60000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1832370982.000000000D2C1000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834316222.000000000E800000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Runtime.Intrinsics.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1820241343.000000000AF70000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834516033.000000000EA91000.00000020.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp Binary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenamemscordaccore.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameProject.dll0 vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameMicrosoft.CSharp.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.Core.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameMicrosoft.VisualBasic.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.AppContext.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Buffers.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.ComponentModel.Annotations.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.ComponentModel.DataAnnotations.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.ComponentModel.EventBasedAsync.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.ComponentModel.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Configuration.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Console.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Core.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Data.Common.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Data.DataSetExtensions.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Data.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.Contracts.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.Debug.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.FileVersionInfo.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: get_OriginalFilename vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: _originalFilename vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: <GetFileVersionInfoEx>g____PInvoke|2_0<GetFileVersionInfoSizeEx>g____PInvoke|3_0<VerQueryValue>g____PInvoke|4_0Span`1Kernel32UInt32<Module>HIWORDLOWORDVS_FIXEDFILEINFOSystem.IOdwFileDateLSdwFileVersionLSdwProductVersionLSdwFileDateMSdwFileVersionMSdwProductVersionMSdwFileOSVerLanguageNameWVerQueryValueWGetFileVersionInfoSizeExWGetFileVersionInfoExWlpDataAllocget_IsPatched_isPatchedIsPathFullyQualifiedAppendFormatted_fileBuildget_PrivateBuildget_IsPrivateBuild_isPrivateBuild_privateBuildget_SpecialBuildget_IsSpecialBuild_isSpecialBuild_specialBuild_productBuildAppenddwordGetPinnableReferenceFreeUnsafeGetLanguageAndCodePageGetVersionInfoForCodePagecodepageget_LanguageGetFileVersionLanguage_languagelpdwHandleFileVerLanguageNameget_FileName_fileNameget_InternalName_internalNameget_ProductName_productNameget_CompanyName_companyNameget_OriginalFilename_originalFilenamelpwstrFilenameSystem.RuntimeAppendLinedwFileTypeValueTypedwFileSubtypedwSignatureget_IsPreRelease_isPreReleaseCreate_filePrivate_productPrivateAssemblyMetadataAttributeCompilerGeneratedAttributeGeneratedCodeAttributeNeutralResourcesLanguageAttributeDebuggableAttributeNullableAttributeAssemblyTitleAttributeDisableRuntimeMarshallingAttributeTargetFrameworkAttributeSupportedOSPlatformAttributeInAttributeAssemblyFileVersionAttributeAssemblyInformationalVersionAttributeAssemblyDescriptionAttributeAssemblyDefaultAliasAttributeRefSafetyRulesAttributeDefaultDllImportSearchPathsAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeSkipLocalsInitAttributeCLSCompliantAttributeLibraryImportAttributeNullableContextAttributeNullablePublicOnlyAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeVerQueryValue__lpData_native__dwHandle_native__lpdwHandle_native__lpwstrFilename_native__lpSubBlock_native__pBlock_native__puLen_native__dwLen_native__lplpBuffer_native__dwFlags_nativecchLangwLangszLangSystem.Runtime.InteropServices.MarshallingSystem.Runtime.VersioningGetFileVersionStringToStringget_IsDebug_isDebugDllImportSearchPathGetFullPathPtrToStringUnilpSubBlockpBlockdwFileFlagsMaskMarshalAppendLiteralkernel32.dllversion.dllSystem.Diagnostics.FileVersionInfo.dllILLink.Substitutions.xmlSystemBooleanpuLendwLendwStrucVersionget_FileVersion_fileVersionget_ProductVersion_productVersionSystem.ReflectionFileNotFoundExceptionget_FileDescription_fileDescriptionGetFixedFileInfoSystem.Diagnostics.FileVersionInfoGetVersionInfoInteropIFormatProviderStringBuilderlplpBufferDefaultInterpolatedStringHandlerSystem.CodeDom.CompilerUtf16StringMarshaller_fileMajor_productMajor_fileMinor_productMinor.ctormemPtrmemIntPtrSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesFxResources.System.Diagnostics.FileVersionInfo.SR.resourcesDebuggingModesdwFileFlagsdwFlagsget_LegalTrademarks_legalTrademarksget_Comments_commentsExistsObjectget_LegalCopyright_legalCopyrightSkipInitget_FileBuildPartget_ProductBuildPartget_FilePrivatePartget_ProductPrivatePar
Source: Launcher_x32_x64.exe Binary or memory string: \\InternalName!\\LegalCopyright%\\OriginalFilename vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.TextWriterTraceListener.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.Tools.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.TraceSource.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Drawing.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Dynamic.Runtime.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Formats.Asn1.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Formats.Tar.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Globalization.Calendars.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Globalization.Extensions.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Globalization.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.Compression.Brotli.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.Compression.FileSystem.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.Compression.ZipFile.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.FileSystem.AccessControl.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.FileSystem.Primitives.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.FileSystem.Watcher.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.FileSystem.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.IsolatedStorage.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.Pipes.AccessControl.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.Pipes.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.UnmanagedMemoryStream.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.IO.dll@ vs Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Binary or memory string: OriginalFilenameSystem.Linq.Expressions.dll@ vs Launcher_x32_x64.exe
Uses 32bit PE files
Source: Launcher_x32_x64.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000001.00000002.1894150698.0000000003C9E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/1@5/4
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0108CE90 FormatMessageW,GetLastError,WideCharToMultiByte,GetLastError,WideCharToMultiByte,WideCharToMultiByte,MultiByteToWideChar,MultiByteToWideChar,wcscpy_s,HeapFree,HeapFree, 0_2_0108CE90
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_0042D5B9 CoCreateInstance,SysAllocString, 3_2_0042D5B9
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe File created: C:\Windows\Temp\4ud5if5k.0ze.exe Jump to behavior
Source: Launcher_x32_x64.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Launcher_x32_x64.exe Virustotal: Detection: 10%
Source: Launcher_x32_x64.exe String found in binary or memory: requests-started
Source: Launcher_x32_x64.exe String found in binary or memory: requests-started-rate
Source: Launcher_x32_x64.exe String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: Launcher_x32_x64.exe String found in binary or memory: Morph - Structs/AddrExp
Source: Launcher_x32_x64.exe String found in binary or memory: prejitNYI: patchpoint info generationlooptail.call and not BBINSTRImportationPre-importExpand patchpointsIndirect call transformProfile instrumentation prepPost-importProfile incorporationProfile instrumentationMorph - InliningMorph - InitAllocate ObjectsMorph - Add internal blocksRemove empty finallyRemove empty tryClone finallyMerge callfinally chainsUpdate flow graph early passUpdate finally target flagsEarly livenessMorph - Structs/AddrExpForward SubstitutionPhysical promotionMorph - ByRefsIdentify candidates for implicit byref copy omissionMorph - GlobalMorph - Promote StructsGS CookieMorph - FinishTail mergeCompute edge weights (1, false)Invert loopsMerge throw blocksOptimize control flowPost-morph tail mergeCompute blocks reachabilityOptimize layoutRedundant zero InitsSet block weightsClone loopsFind loopsClear loop infoUnroll loopsHoist loop codeMorph array opsOptimize boolsMark local varsSet block orderFind oper orderSSA: topological sortBuild SSA representationSSA: livenessSSA: Doms1SSA: insert phisSSA: DFEarly Value PropagationSSA: renameOptimize index checksDo value numberingVN based copy propOptimize Valnum CSEsRedundant branch optsVN based intrinsic expansionIf conversionAssertion propUpdate flow graph opt passVN-based dead store removalStress gtSplitTreeCompute edge weights (2, false)Expand static initExpand runtime lookupsInsert GC PollsExpand TLS accessRationalize IRDetermine first cold blockLocal var livenessDo 'simple' loweringPer block local var livenessLocal var liveness initLowering decompositionGlobal local var livenessCalculate stack level slotsLowering nodeinfoLSRA build intervalsLinear scan register allocLSRA resolveLSRA allocateGenerate codePlace 'align' instructionsEmit GC+EH tablesEmit codePost-EmitJIT Compilation time report:
Source: Launcher_x32_x64.exe String found in binary or memory: GC initialization failed with error 0x%08XVirtualAlloc2kernelbase.dllMapViewOfFile3bad array new lengthstring too longApplication root path is empty. This shouldn't happenUsing internal fxrUsing internal hostpolicy<path>--additionalprobingpath--depsfilePath containing probing policy and assemblies to probe for.--runtimeconfigPath to <application>.deps.json file.--fx-versionPath to <application>.runtimeconfig.json file.Version of the installed Shared Framework to use to run the application.<version><value>--roll-forward--additional-depsRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)--roll-forward-on-no-candidate-fxPath to additional deps.json file.<obsolete><n>Parsed known arg %s = %ssdk %s %-*s %sFailed to parse supported options or their values:Application '%s' is not a managed executable.Using the provided arguments to determine the application to execute.dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'Application '%s' does not exist.--- Executing in split/FX mode...The application to execute does not exist: '%s'--- Executing in muxer mode...--- Executing in a native executable mode...staticexec RID: %s
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/download The path to an application .dll file to execute.path-to-application: --list-runtimes Display the installed runtimeshost-options:Common Options: --list-sdks Display the installed SDKs --info Display .NET information. -h|--help Displays this help.invalid string positionvector too longinvalid hash bucket countunordered_map/set too longA fatal error occurred while processing application bundleInvalid startup info: host_path, dotnet_root, and app_path should not be null.--- Invoked %s [version: %s]hostfxr_main_bundle_startupinfohostfxr_main_startupinfoget-native-search-directories.json.dev.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.|arch|/|tfm|Ignoring host interpreted additional probing path %s as it does not exist.Runtime config is cfg=%s dev=%s|arch|\|tfm|App runtimeconfig.json from [%s]Specified runtimeconfig.json from [%s]Ignoring additional probing path %s as it does not exist.The specified runtimeconfig.json [%s] does not existDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].runtimeconfig.jsonInvalid runtimeconfig.json [%s] [%s].deps.jsonIt's invalid to use both '%s' and '%s' command line options.DOTNET_ADDITIONAL_DEPSThe specified deps.json [%s] does not existInvalid value for command line argument '%s'self-containedExecuting as a %s app as per config file [%s]HOSTFXR_PATHframework-dependent--list-sdks--list-runtimesUsing dotnet root path [%s]-?/?-h--help dotnet.dll--infoThe command could not be loaded, possibly because:
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/download The path to an application .dll file to execute.path-to-application: --list-runtimes Display the installed runtimeshost-options:Common Options: --list-sdks Display the installed SDKs --info Display .NET information. -h|--help Displays this help.invalid string positionvector too longinvalid hash bucket countunordered_map/set too longA fatal error occurred while processing application bundleInvalid startup info: host_path, dotnet_root, and app_path should not be null.--- Invoked %s [version: %s]hostfxr_main_bundle_startupinfohostfxr_main_startupinfoget-native-search-directories.json.dev.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.|arch|/|tfm|Ignoring host interpreted additional probing path %s as it does not exist.Runtime config is cfg=%s dev=%s|arch|\|tfm|App runtimeconfig.json from [%s]Specified runtimeconfig.json from [%s]Ignoring additional probing path %s as it does not exist.The specified runtimeconfig.json [%s] does not existDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].runtimeconfig.jsonInvalid runtimeconfig.json [%s] [%s].deps.jsonIt's invalid to use both '%s' and '%s' command line options.DOTNET_ADDITIONAL_DEPSThe specified deps.json [%s] does not existInvalid value for command line argument '%s'self-containedExecuting as a %s app as per config file [%s]HOSTFXR_PATHframework-dependent--list-sdks--list-runtimesUsing dotnet root path [%s]-?/?-h--help dotnet.dll--infoThe command could not be loaded, possibly because:
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: Launcher_x32_x64.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failedFramework: 'The framework 'You must install .NET Desktop Runtime to run this application.You must install or update .NET to run this application.Required:
Source: unknown Process created: C:\Users\user\Desktop\Launcher_x32_x64.exe "C:\Users\user\Desktop\Launcher_x32_x64.exe"
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Process created: C:\Windows\Temp\4ud5if5k.0ze.exe "C:\\Windows\\Temp\4ud5if5k.0ze.exe"
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Process created: C:\Windows\Temp\4ud5if5k.0ze.exe "C:\\Windows\\Temp\4ud5if5k.0ze.exe" Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: icu.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: wshunix.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Launcher_x32_x64.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Launcher_x32_x64.exe Static file information: File size 62256356 > 1048576
Source: Launcher_x32_x64.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x53ca00
Source: Launcher_x32_x64.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x139400
Source: Launcher_x32_x64.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x134200
Source: Launcher_x32_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Launcher_x32_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Launcher_x32_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Launcher_x32_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Launcher_x32_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Launcher_x32_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Launcher_x32_x64.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Launcher_x32_x64.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Net.Sockets.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1833876636.000000000E4A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1833941119.000000000E521000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Annotations\Release\net8.0\System.ComponentModel.Annotations.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdbSHA256y source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes\Release\net8.0-windows\System.IO.Pipes.pdbSHA256T source: Launcher_x32_x64.exe
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1821619144.000000000CE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Immutable\Release\net8.0\System.Collections.Immutable.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.MemoryMappedFiles.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Data/Release/net8.0-windows/System.Data.pdbSHA256> source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x86\Release\System.Private.CoreLib.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\dlls\mscordac\mscordaccore.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Formats.Tar.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256^ source: Launcher_x32_x64.exe, 00000000.00000002.1834219419.000000000E610000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1823830750.000000000D011000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1822713713.000000000CFD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.FileVersionInfo.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.Specialized.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.NonGeneric.ni.pdb@- source: Launcher_x32_x64.exe
Source: Binary string: BitLockerToGo.pdb source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003F4C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1882156226.0000000002F15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832370982.000000000D2C1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TextWriterTraceListener\Release\net8.0\System.Diagnostics.TextWriterTraceListener.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.UnmanagedMemoryStream/Release/net8.0-windows/System.IO.UnmanagedMemoryStream.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.Primitives/Release/net8.0-windows/System.IO.FileSystem.Primitives.pdbSHA256C source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Runtime.Serialization/Release/net8.0-windows/System.Runtime.Serialization.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Threading.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832370982.000000000D2C1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdbSHA256T/ source: Launcher_x32_x64.exe
Source: Binary string: System.Private.CoreLib.ni.pdbd source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832613932.000000000D6A1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdbSHA256d source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdbSHA256f source: Launcher_x32_x64.exe
Source: Binary string: System.Drawing.Primitives.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.Annotations.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.Concurrent.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO/Release/net8.0-windows/System.IO.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net8.0-windows/Microsoft.VisualBasic.pdbSHA256P source: Launcher_x32_x64.exe
Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Tar\Release\net8.0-windows\System.Formats.Tar.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.Compression.ZipFile.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdbSHA256(^e source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Linq.Expressions.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834088849.000000000E5B0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Memory.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832707797.000000000D6F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832665993.000000000D6C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834219419.000000000E610000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.IO.Pipes.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Core/Release/net8.0-windows/System.Core.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x86.Release\Corehost.Static\singlefilehost.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.IsolatedStorage.ni.pdbz source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes\Release\net8.0-windows\System.IO.Pipes.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Security.ni.pdb2 source: Launcher_x32_x64.exe, 00000000.00000002.1820869663.000000000CAF0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820979803.000000000CB91000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.MemoryMappedFiles\Release\net8.0-windows\System.IO.MemoryMappedFiles.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.Brotli\Release\net8.0-windows\System.IO.Compression.Brotli.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832613932.000000000D6A1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.StackTrace\Release\net8.0\System.Diagnostics.StackTrace.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.Net.NameResolution.ni.pdbu? source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Formats.Asn1.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256l8 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Watcher\Release\net8.0-windows\System.IO.FileSystem.Watcher.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.FileSystem/Release/net8.0-windows/System.IO.FileSystem.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Console.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1833876636.000000000E4A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1833941119.000000000E521000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834316222.000000000E800000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.IO.Pipes.ni.pdb? source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Core/Release/net8.0-windows/System.Core.pdbSHA2564- source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Http.ni.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.StackTrace.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.Specialized.ni.pdbI source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdbSHA256R source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.ZipFile\Release\net8.0-windows\System.IO.Compression.ZipFile.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/Microsoft.VisualBasic/Release/net8.0-windows/Microsoft.VisualBasic.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.Compression.ZipFile.ni.pdb(Qw source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Intrinsics\Release\net8.0\System.Runtime.Intrinsics.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1834316222.000000000E800000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Globalization/Release/net8.0-windows/System.Globalization.pdbSHA256& source: Launcher_x32_x64.exe
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.ComponentModel.DataAnnotations/Release/net8.0-windows/System.ComponentModel.DataAnnotations.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.IO.Compression.Brotli.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: \Desktop\ProjectLoader\Project\obj\Release\net8.0\win-x86\Project.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.ni.pdb_ source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256?) source: Launcher_x32_x64.exe, 00000000.00000002.1832560553.000000000D674000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Diagnostics.TextWriterTraceListener.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Private.CoreLib.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1817950421.00000000098D1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1817301885.0000000008CD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Globalization.Extensions/Release/net8.0-windows/System.Globalization.Extensions.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Annotations\Release\net8.0\System.ComponentModel.Annotations.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.CSharp\Release\net8.0-windows\Microsoft.CSharp.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\Release\net8.0-windows\System.IO.FileSystem.AccessControl.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Globalization.Extensions/Release/net8.0-windows/System.Globalization.Extensions.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Drawing/Release/net8.0-windows/System.Drawing.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Threading.ni.pdb_ source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832370982.000000000D2C1000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Data/Release/net8.0-windows/System.Data.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1832707797.000000000D6F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832665993.000000000D6C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1832707797.000000000D6F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1832665993.000000000D6C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.StackTrace\Release\net8.0\System.Diagnostics.StackTrace.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.Immutable.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO/Release/net8.0-windows/System.IO.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.FileSystem/Release/net8.0-windows/System.IO.FileSystem.pdbSHA256!"u source: Launcher_x32_x64.exe
Source: Binary string: System.Net.NameResolution.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834145533.000000000E5F1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834104783.000000000E5C0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: \Desktop\ProjectLoader\Project\obj\Release\net8.0\win-x86\Project.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1834746292.000000000EB10000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834791513.000000000EB31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Primitives/Release/net8.0-windows/System.Security.Cryptography.Primitives.pdbSHA256& source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256I source: Launcher_x32_x64.exe, 00000000.00000002.1834088849.000000000E5B0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq.Expressions\Release\net8.0\System.Linq.Expressions.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1832317142.000000000D2A0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: Microsoft.CSharp.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.X509Certificates/Release/net8.0-windows/System.Security.Cryptography.X509Certificates.pdbSHA256dXf source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\Release\net8.0-windows\System.IO.IsolatedStorage.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.TypeConverter.ni.pdbV@ source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Security.Principal.Windows.ni.pdbf source: Launcher_x32_x64.exe, 00000000.00000002.1834663564.000000000EAE1000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1834617042.000000000EAB0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Private.Uri.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1823830750.000000000D011000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1822713713.000000000CFD0000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression\Release\net8.0-windows\System.IO.Compression.pdbSHA256ENA source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Globalization/Release/net8.0-windows/System.Globalization.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.Primitives/Release/net8.0-windows/System.IO.FileSystem.Primitives.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Diagnostics.StackTrace.ni.pdbAM source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Asn1\Release\net8.0\System.Formats.Asn1.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\Release\net8.0-windows\System.IO.IsolatedStorage.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.IO.Compression.ni.pdb: source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Primitives/Release/net8.0-windows/System.Security.Cryptography.Primitives.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: System.IO.Compression.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Security.Cryptography.ni.pdb source: Launcher_x32_x64.exe, 00000000.00000002.1821107705.000000000CC30000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1821619144.000000000CE01000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Runtime.Serialization/Release/net8.0-windows/System.Runtime.Serialization.pdbSHA256y source: Launcher_x32_x64.exe, 00000000.00000002.1819654142.000000000AD10000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\Release\net8.0\System.Data.Common.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.ComponentModel.TypeConverter.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Primitives.ni.pdbS source: Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: Microsoft.CSharp.ni.pdb^L[T source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Asn1\Release\net8.0\System.Formats.Asn1.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.IO.IsolatedStorage.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Drawing/Release/net8.0-windows/System.Drawing.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdbSHA256 source: Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.AppContext/Release/net8.0-windows/System.AppContext.pdbSHA256M source: Launcher_x32_x64.exe
Source: Binary string: BitLockerToGo.pdbGCTL source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003F4C000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.1882156226.0000000002F15000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Launcher_x32_x64.exe
Source: Binary string: System.Formats.Asn1.ni.pdbd source: Launcher_x32_x64.exe
Source: Binary string: System.IO.FileSystem.Watcher.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.MemoryMappedFiles\Release\net8.0-windows\System.IO.MemoryMappedFiles.pdbSHA256? source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Http.ni.pdb,U source: Launcher_x32_x64.exe, 00000000.00000002.1819849440.000000000AD61000.00000020.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1819406365.000000000AB50000.00000002.00000001.00040000.00000003.sdmp
Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.Data.Common.ni.pdb source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.IO.UnmanagedMemoryStream/Release/net8.0-windows/System.IO.UnmanagedMemoryStream.pdbSHA256#N source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.Buffers/Release/net8.0-windows/System.Buffers.pdbSHA256Bs source: Launcher_x32_x64.exe
Source: Binary string: /_/artifacts/obj/System.ComponentModel.DataAnnotations/Release/net8.0-windows/System.ComponentModel.DataAnnotations.pdbSHA256 source: Launcher_x32_x64.exe
Source: Binary string: System.Net.Primitives.ni.pdb source: Launcher_x32_x64.exe, Launcher_x32_x64.exe, 00000000.00000002.1820113775.000000000AEE0000.00000002.00000001.00040000.00000003.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1820163618.000000000AF31000.00000020.00000001.00040000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.FileVersionInfo\Release\net8.0-windows\System.Diagnostics.FileVersionInfo.pdb source: Launcher_x32_x64.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Compression.ZipFile\Release\net8.0-windows\System.IO.Compression.ZipFile.pdbSHA256X source: Launcher_x32_x64.exe
Source: Launcher_x32_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Launcher_x32_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Launcher_x32_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Launcher_x32_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Launcher_x32_x64.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: Launcher_x32_x64.exe Static PE information: section name: .CLR_UEF
Source: Launcher_x32_x64.exe Static PE information: section name: .didat
Source: Launcher_x32_x64.exe Static PE information: section name: _RDATA
Source: 4ud5if5k.0ze.exe.0.dr Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD64962 push ds; retf 0_2_0AD64964
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD656B0 push ds; retf 0_2_0AD656BC
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD614EE push 00000007h; ret 0_2_0AD61596
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AD61498 push 00000007h; ret 0_2_0AD61596
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF32BAD pushfd ; iretd 0_2_0AF32BB1
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF31EB9 push ds; iretd 0_2_0AF31EBB
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF322AF push esi; iretd 0_2_0AF322B5
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF3324D push es; iretd 0_2_0AF3324E
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF33091 push dword ptr [ecx]; iretd 0_2_0AF330BD
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF33031 push ebp; iretd 0_2_0AF33032
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF326BD push cs; iretd 0_2_0AF326BE
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0AF335C9 pushfd ; iretd 0_2_0AF335CA
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0CA94E41 push edi; iretd 0_2_0CA94E42
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0CA92BA8 push ds; iretd 0_2_0CA92D0E
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0CA94B9A push esi; iretd 0_2_0CA94BA1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00439B1C push edx; retf 0040h 3_2_00439B1D
Drops PE files
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe File created: C:\Windows\Temp\4ud5if5k.0ze.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe File created: C:\Windows\Temp\4ud5if5k.0ze.exe Jump to dropped file
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Memory allocated: 5810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Memory allocated: 5A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Memory allocated: 8A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Memory allocated: F230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Memory allocated: 11230000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0109A6E0 rdtsc 0_2_0109A6E0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Window / User API: threadDelayed 598 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe TID: 7852 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe TID: 7852 Thread sleep count: 148 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe TID: 7852 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe TID: 7852 Thread sleep count: 598 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe TID: 7852 Thread sleep count: 154 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe TID: 7904 Thread sleep count: 258 > 30 Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7180 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_010860F0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessAffinityMask,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc, 0_2_010860F0
Source: BitLockerToGo.exe, 00000003.00000002.1925229586.0000000002F13000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.1925229586.0000000002F41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Launcher_x32_x64.exe, 00000000.00000003.1776700067.0000000003AE7000.00000004.00000020.00020000.00000000.sdmp, Launcher_x32_x64.exe, 00000000.00000002.1816330879.0000000003AE7000.00000004.00000020.00020000.00000000.sdmp, Launcher_x32_x64.exe, 00000000.00000003.1814416338.0000000003AE7000.00000004.00000020.00020000.00000000.sdmp, Launcher_x32_x64.exe, 00000000.00000003.1776987722.0000000003AE7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1883780092.0000000001D0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0109A6E0 rdtsc 0_2_0109A6E0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 3_2_00432B70 LdrInitializeThunk, 3_2_00432B70
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_010A92B0 IsDebuggerPresent,RaiseException, 0_2_010A92B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_010C9010 GetProcessHeap,HeapAlloc, 0_2_010C9010
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_01289570 VirtualProtect,GetTickCount,VirtualProtect,GetSystemInfo,SetConsoleCtrlHandler,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,DebugBreak,SleepEx,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,RtlAddVectoredExceptionHandler,SetUnhandledExceptionFilter,InitializeCriticalSection,InitializeCriticalSection,VirtualAlloc,DebugBreak,InitializeCriticalSection, 0_2_01289570
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0131CA69 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0131CA69
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_00E806F0 IsDebuggerPresent,RaiseFailFastException,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,SetErrorMode,SetErrorMode,IsDebuggerPresent,DebugBreak,SetErrorMode,SetErrorMode, 0_2_00E806F0
Injects a PE file into a foreign processes
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: caffegclasiqwp.shop
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stamppreewntnq.shop
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stagedchheiqwo.shop
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: millyscroqwp.shop
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: evoliutwoqm.shop
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: condedqpwqm.shop
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: traineiwnqo.shop
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: locatedblsoqp.shop
Source: 4ud5if5k.0ze.exe, 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: tenseddrywsqio.shop
Writes to foreign memory regions
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2D3D008 Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 436000 Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 439000 Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 448000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Process created: C:\Windows\Temp\4ud5if5k.0ze.exe "C:\\Windows\\Temp\4ud5if5k.0ze.exe" Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Queries volume information: C:\Windows\Temp\4ud5if5k.0ze.exe VolumeInformation Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\Temp\4ud5if5k.0ze.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_010C3520 CreateNamedPipeA,GetLastError,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetLastError,CreateEventW,GetLastError,ConnectNamedPipe,GetLastError, 0_2_010C3520
Source: C:\Users\user\Desktop\Launcher_x32_x64.exe Code function: 0_2_0131D80E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0131D80E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1924955171.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1884184643.0000000003B36000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1894150698.0000000003C9E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 3.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1894150698.0000000003E01000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1924955171.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1884184643.0000000003B36000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1894150698.0000000003C9E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502259 Sample: Launcher_x32_x64.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 25 traineiwnqo.shop 2->25 27 tenseddrywsqio.shop 2->27 29 5 other IPs or domains 2->29 35 Multi AV Scanner detection for domain / URL 2->35 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 7 other signatures 2->41 8 Launcher_x32_x64.exe 3 2->8         started        signatures3 process4 dnsIp5 31 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49731 DROPBOXUS United States 8->31 33 www-env.dropbox-dns.com 162.125.66.18, 443, 49730 DROPBOXUS United States 8->33 19 C:\Windows\Temp\4ud5if5k.0ze.exe, PE32 8->19 dropped 43 Contains functionality to prevent local Windows debugging 8->43 13 4ud5if5k.0ze.exe 8->13         started        file6 signatures7 process8 signatures9 45 Multi AV Scanner detection for dropped file 13->45 47 Writes to foreign memory regions 13->47 49 Allocates memory in foreign processes 13->49 51 2 other signatures 13->51 16 BitLockerToGo.exe 13->16         started        process10 dnsIp11 21 tenseddrywsqio.shop 172.67.209.93, 443, 49738 CLOUDFLARENETUS United States 16->21 23 traineiwnqo.shop 188.114.97.3, 443, 49739, 49740 CLOUDFLARENETUS European Union 16->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.125.66.18
 www-env.dropbox-dns.com United States
19679 DROPBOXUS false
172.67.209.93
 tenseddrywsqio.shop United States
13335 CLOUDFLARENETUS true
188.114.97.3
 locatedblsoqp.shop European Union
13335 CLOUDFLARENETUS true
162.125.66.15
 edge-block-www-env.dropbox-dns.com United States
19679 DROPBOXUS false

Contacted Domains

Name IP Active
locatedblsoqp.shop 188.114.97.3 true
edge-block-www-env.dropbox-dns.com 162.125.66.15 true
tenseddrywsqio.shop 172.67.209.93 true
www-env.dropbox-dns.com 162.125.66.18 true
traineiwnqo.shop 188.114.97.3 true
uc65f56b62827632faafd635f90d.dl.dropboxusercontent.com unknown unknown
www.dropbox.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://locatedblsoqp.shop/api true
  • URL Reputation: malware
 unknown
tenseddrywsqio.shop true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
locatedblsoqp.shop true
    		unknown
    caffegclasiqwp.shop true
    • URL Reputation: malware
    		 unknown
    millyscroqwp.shop true
    • URL Reputation: malware
    		 unknown
    traineiwnqo.shop true
      		unknown
      condedqpwqm.shop true
      • URL Reputation: phishing
      		 unknown
      https://tenseddrywsqio.shop/api true
      • Avira URL Cloud: malware
      		 unknown
      stagedchheiqwo.shop true
      • URL Reputation: phishing
      		 unknown
      stamppreewntnq.shop true
      • URL Reputation: phishing
      		 unknown
      evoliutwoqm.shop true
      • URL Reputation: safe
      		 unknown
      https://uc65f56b62827632faafd635f90d.dl.dropboxusercontent.com/cd/0/get/CZuc7lbOcorcPO1KnxZRm4I-EZZJmX4CAtKb51Ff50K-MBU4Nlue9UTG2pSEpIIqdE9VtxyEjty_TXqZ6fmGkkyezkdESSzw2JVLLryoStBMg9uHfHjByfogdOWZUZ_u2nqNaED64BuzF6YgGT3bVBkI/file?dl=1 false
      • Avira URL Cloud: safe
      		 unknown
      https://www.dropbox.com/scl/fi/zggrbdmbru8wwpp19fnal/Launcher.exe?rlkey=oyhv29cvxml0f5jh9a6ijy93p&st=su8clvok&dl=1 false
      • Avira URL Cloud: safe
      		 unknown