Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Malware Configuration Extractor: AsyncRAT {"Server": ")8\"zc", "Ports": "$A<IlE,84,7;&gV", "Version": "*wacp!]6l[e", "BDOS": "U^2", "AES_key": "R4OsSR16j3MjPEBlkfzyOGTLnlxVVuwW", "Mutex": "n#QO", "Certificate": "UDq5O^", "ServerSignature": "1", "Group": "Oy\\iql0S13XbS4sp1@PsWg:PGIw'~?Q;ifHa#3ef8L\"SpWzk,&&}s;$/?J9UH3>j3={V'nCn.PI*|e>4&k2[2Y\"w$T+^X_j9HSG[?b*'54eS5e_~(e#Z\"n,TX*T->_qfnrv]TM^:Sm1uBPI9|\\4a^^?R|av{V =9J2E|^{wS7Zq,=)a;uL uRaE\"K5bW ycl@NpcoGBww~DzGBkD+U1vws!$\"Awn}G}9cJ6;M^g4xsh'`s^(KX%.#m`^wc.Syd?~c\"Lsj>]?`qx7a!]~a7*CV\\/w6F+j0{&]M*&[7-]2Y</uTKz[gT&GM", "AntiProcess": "HB!<i[>IoEHueVuN1#fc!@?Z#TsdM.i5RX/xjjmOH +NC,v <85~NN!Z.)uebFY`", "PasteBin": "FLVl;"} |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2935177450.000000001BB4D000.00000004.00000020.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933228059.0000000001175000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933228059.00000000011CE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en8f |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Yara match |
File source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000000.00000002.2935177450.000000001BB22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2935177450.000000001BA70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2933228059.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Code function: 0_2_00007FFD9B898346 |
0_2_00007FFD9B898346 |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Code function: 0_2_00007FFD9B89C56F |
0_2_00007FFD9B89C56F |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Code function: 0_2_00007FFD9B8990F2 |
0_2_00007FFD9B8990F2 |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Code function: 0_2_00007FFD9B8930E2 |
0_2_00007FFD9B8930E2 |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000000.1671267055.0000000000DDE000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameClient.exe" vs 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Binary or memory string: OriginalFilenameClient.exe" vs 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000000.00000002.2935177450.000000001BB22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2935177450.000000001BA70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2933228059.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Settings.cs |
Base64 encoded string: 'm1SVmzq41bUtAgiVmChGud35fX/aUNtosr8PYStFYOAnPrN+XR+IkjYiqiUpGtB3iVUC/dwECsCyuNfy8XiQAX4f4BhMF5n5tkjlBy9/rl0=', 'iL4iV3kbq9Wc0eHBghluHFSJGvtmXcYzxD3f8ndQ9uTnqLo5XWL/Ob2NJszbQS9lzFt1jtk75UQxLxfydXIBbg==', 'NiwdLwCGJgE9T7NLnBzBzUZfLUnyV6dx/ze20L7vWNWQ5mgVR+i6SjVmK91d/XSyq8PTQbbEpEgD0Xcz2y73QaWV99k2Y1Pt+k+9qXbk4PVBd+RqCLBna/DVB9TyjaEidnq1LUCkN2zxPmQaYaEvCgmRmdNoBfuk36jL1sYox30ftHy5iwhDgfI8fL3PpwAo3sNeka/8mx1KcBGR7oR1xVUtiKEzj2D/1D0w24ko+BPZT7PtOwOk/zDAz2BhLe2bfHbQfgQPn2k2xohtMzwXk2d1LJokIAhKOsfQJ3IsiLkxzOAXHL+Zz7hFHWBUaTa74PzCj7UfJlo9t7tL31QcU0Ut5s1Z7GDAxwuCsQ+4EzdbnwOAr3L13MzLh/+6y0AmG8WY9d2v7FLTX49s6HUqXpfCJRrXXHSXolFZyNXJqU03WuCVMP3GnWK91ZRKysddcBJYYLw7JcGX0jSLUaFDCOShBrZcR1uNqWGg3y5kzcjvkNKmSLFHUt2yApjlgOV3LvWJ10fwH+T7AP8aFNYnyqz/JKxqqIJI29IaIpV1p7PytVd8DrnVQxsy2MIw4VmUjU68usaUG1/Sq003yCFYdKuWDoYb9XReUAYDxzoG4KEcVXpQiIgn3zmO+fNWbIWUMeR50jVsNO8+HO30YezLEMATPkCTImVSQAeDK4Wm6pW16ivu30DMoIRVu+JE1Oxe1HkxdJZaT1fik4dKGO58CYSSeiUTyrUbI6kBZQnDVnBzkNu2Al6SwE73fajFQLal+oSGQ2T9MhdGgEGVOYUGWoI+0y9lX9fJGbdja0QpZ8IOom55sJJp2mAYPqxtpzULHJeDbSQto9MeA7meSBtk7rEJECdJHtIqe5Dd+7fWE4v68VSq+rkJr4ZzP6YIZ+Js0KXt1TWnQ22NcCZ3aooBNp7Lm/ZW706KP6Wj1Zn74tOEq78XWGXGPsZ2JvxQoCk45CTkBqTr58qnivpoprK+t+TL4LBqtyBV+iHUkivD4I+OfR1MRJm/SSoJKHHT0YgDwv+d/r9ZqNKvRP1sv456gPAESQDOHbKMPTM9qe+3KzFdhYSV6gRZfTnAPBjEnfSl', 'UB9UzwA9tGakGgTcozLufAUFQxQCuoOi+9ktVsBWG9zFIaU239Gos24AjhaHGQraIeSRRMO3GubTGWn/PCwrNYDzeS4gR3UOWKRrfG9785AWj+/K1SLSEQEyKczGXXNvpC+Yxv5Iymd50ZYpBzwc9x1ME3yP5inYKo5PAUjVoKBlbQlnkfav1AqoOrhH7ohpYYwiXO65nsLpVF8JreGq/VlAHr1JQ9fopC032bYNkBljQf6l83C+UrfxPGpwixgV84GrrDa4efbY4mhD/tCoGnoWO4dgjbGj+FO0qjoyq3E=', 'MIlzi1B7PthTHEHMqprZFE7qh2CwotWNt1bDN2lDdtoVWtDWHS/TzpIcw4Wbme2XtTl/hfh6Cu0vUdf8k+aIhQ==', 'K37OLhwW8YSNgPJaT0/aIK6XT8xXXyJ8hP5zAzYNpppfpBxw4RuVM3WlDbJs4ti69CCz6JpT8wlSjr3femWfpw==', 'j59e0As5uh5mS607NeJD0+mZaKrTbSvccTOP1iThRoCdeFwO1hE/wQ4vuh1aDrUI68wwcvmfYRuWnrMNT8SRhg==' |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, NormalStartup.cs |
Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==' |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: devenum.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Section loaded: msdmo.dll |
Jump to behavior |
Source: Yara match |
File source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe TID: 6748 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe TID: 6744 |
Thread sleep time: -4611686018427385s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe TID: 6768 |
Thread sleep count: 7297 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe TID: 6768 |
Thread sleep count: 2558 > 30 |
Jump to behavior |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2935735781.000000001BC05000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWIU |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2935735781.000000001BC05000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933228059.0000000001244000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, AntiProcess.cs |
Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId) |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Win32.cs |
Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)) |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Win32.cs |
Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)) |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, Amsi.cs |
Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _) |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.000000000340C000.00000004.00000800.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.000000000340C000.00000004.00000800.00020000.00000000.sdmp, 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2933845781.000000000313E000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager@ |
Source: Yara match |
File source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe.dd0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: MSASCui.exe |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000002.2935595084.000000001BBD1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: procexp.exe |
Source: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe, 00000000.00000000.1671251346.0000000000DD2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: MsMpEng.exe |
Source: Yara match |
File source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR |
Source: Yara match |
File source: 00000000.00000002.2933845781.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2933845781.0000000003156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exe PID: 6456, type: MEMORYSTR |