Source: 0.2.loaddll32.exe.22d0174.3.unpack |
Avira: Label: TR/Kazy.4159236 |
Source: 1.2.rundll32.exe.3540000.5.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: 1.2.rundll32.exe.3530174.4.unpack |
Avira: Label: TR/Kazy.4159236 |
Source: 0.2.loaddll32.exe.2430000.4.unpack |
Avira: Label: TR/Patched.Ren.Gen |
Source: |
Binary string: powrprof.pdbF source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.652704445.0000000004CEB000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: riched20.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb@ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdb. source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: winspool.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdb< source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: usp10.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: setupapi.pdb( source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: version.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: riched32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: wUxTheme.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: version.pdb2 source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: msls31.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: msapplication.xml0.8.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x19bc77f4,0x01d6fbc9</date><accdate>0x19bc77f4,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml0.8.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x19bc77f4,0x01d6fbc9</date><accdate>0x19bc77f4,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook) |
Source: msapplication.xml5.8.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x19c13ca7,0x01d6fbc9</date><accdate>0x19c13ca7,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml5.8.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x19c13ca7,0x01d6fbc9</date><accdate>0x19c13ca7,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter) |
Source: msapplication.xml7.8.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x19c39f10,0x01d6fbc9</date><accdate>0x19c39f10,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: msapplication.xml7.8.dr |
String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x19c39f10,0x01d6fbc9</date><accdate>0x19c39f10,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube) |
Source: loaddll32.exe, 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, rundll32.exe, 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp |
String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html; |
Source: msapplication.xml.8.dr |
String found in binary or memory: http://www.amazon.com/ |
Source: msapplication.xml1.8.dr |
String found in binary or memory: http://www.google.com/ |
Source: msapplication.xml2.8.dr |
String found in binary or memory: http://www.live.com/ |
Source: msapplication.xml3.8.dr |
String found in binary or memory: http://www.nytimes.com/ |
Source: msapplication.xml4.8.dr |
String found in binary or memory: http://www.reddit.com/ |
Source: msapplication.xml5.8.dr |
String found in binary or memory: http://www.twitter.com/ |
Source: msapplication.xml6.8.dr |
String found in binary or memory: http://www.wikipedia.com/ |
Source: msapplication.xml7.8.dr |
String found in binary or memory: http://www.youtube.com/ |
Source: loaddll32.exe |
String found in binary or memory: https://topitophug.xyz |
Source: loaddll32.exe, 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, ~DFF728301785477207.TMP.8.dr |
String found in binary or memory: https://topitophug.xyz/index.htm |
Source: {FC8A972A-67BB-11EB-90EB-ECF4BBEA1588}.dat.8.dr |
String found in binary or memory: https://topitophug.xyz/index.htm/index.htm |
Source: {FC8A972A-67BB-11EB-90EB-ECF4BBEA1588}.dat.8.dr |
String found in binary or memory: https://topitophug.xyz/index.htmRoot |
Source: Yara match |
File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00420F9C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, |
1_2_00420F9C |
Source: Yara match |
File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\System32\loaddll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00455C08 NtdllDefWindowProc_A,GetCapture, |
1_2_00455C08 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00442040 NtdllDefWindowProc_A, |
1_2_00442040 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_004427E8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
1_2_004427E8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00442898 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
1_2_00442898 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00429150 NtdllDefWindowProc_A, |
1_2_00429150 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0044B7E0 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
1_2_0044B7E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_03552415 NtQueryVirtualMemory, |
1_2_03552415 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_035A1757 memcpy,memcpy,lstrcatW,CreateEventA,NtQueryInformationProcess,CloseHandle, |
1_2_035A1757 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_035A4DF0 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError, |
1_2_035A4DF0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_035A6101 RtlNtStatusToDosError,NtClose, |
1_2_035A6101 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_035AAC53 RtlInitUnicodeString,NtClose,RtlNtStatusToDosError, |
1_2_035AAC53 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0043C538 |
1_2_0043C538 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0044B7E0 |
1_2_0044B7E0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_035521F4 |
1_2_035521F4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_03531768 |
1_2_03531768 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_03531D74 |
1_2_03531D74 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_035AB8DC |
1_2_035AB8DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_035AC490 |
1_2_035AC490 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ioir.png.dll' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1 |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 744 |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: unknown |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17410 /prefetch:2 |
|
Source: unknown |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17418 /prefetch:2 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17410 /prefetch:2 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17418 /prefetch:2 |
Jump to behavior |
Source: |
Binary string: powrprof.pdbF source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.652704445.0000000004CEB000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: riched20.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb@ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdb. source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: winspool.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdb< source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: usp10.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: setupapi.pdb( source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: version.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: riched32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: wUxTheme.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: version.pdb2 source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: msls31.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp |
Source: |
Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
1_2_00426E24 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0045D200 push 0045D28Dh; ret |
1_2_0045D285 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00444114 push 0044416Eh; ret |
1_2_00444166 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0044C294 push 0044C2FFh; ret |
1_2_0044C2F7 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0042435C push 00424388h; ret |
1_2_00424380 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_004243AC push 004243D8h; ret |
1_2_004243D0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00424664 push 00424690h; ret |
1_2_00424688 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00410696 push 0041070Eh; ret |
1_2_00410706 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00410698 push 0041070Eh; ret |
1_2_00410706 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0042675C push 00426794h; ret |
1_2_0042678C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00424760 push 0042478Ch; ret |
1_2_00424784 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00410710 push 004107B8h; ret |
1_2_004107B0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00424798 push 004247C4h; ret |
1_2_004247BC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0041A7B2 push 0041A85Fh; ret |
1_2_0041A857 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0041A7B4 push 0041A85Fh; ret |
1_2_0041A857 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_004107BA push 00410900h; ret |
1_2_004108F8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0041A864 push 0041A8F4h; ret |
1_2_0041A8EC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_004108D4 push 00410900h; ret |
1_2_004108F8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0041A8F6 push 0041ABFCh; ret |
1_2_0041ABF4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00430954 push 004309CAh; ret |
1_2_004309C2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00412A4C push ecx; mov dword ptr [esp], edx |
1_2_00412A51 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00406A60 push ecx; mov dword ptr [esp], eax |
1_2_00406A61 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00452A2C push ecx; mov dword ptr [esp], ecx |
1_2_00452A30 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00426A80 push 00426AACh; ret |
1_2_00426AA4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0041ABD0 push 0041ABFCh; ret |
1_2_0041ABF4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0040CBD4 push ecx; mov dword ptr [esp], edx |
1_2_0040CBD9 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00436BB0 push 00436C25h; ret |
1_2_00436C1D |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00406C44 push 00406C70h; ret |
1_2_00406C68 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00412C74 push ecx; mov dword ptr [esp], edx |
1_2_00412C79 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00406C7C push 00406CA8h; ret |
1_2_00406CA0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00436C28 push 00436C81h; ret |
1_2_00436C79 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00426C2C push 00426C58h; ret |
1_2_00426C50 |
Source: Yara match |
File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_004420C8 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
1_2_004420C8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00458504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
1_2_00458504 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_004427E8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
1_2_004427E8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00442898 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
1_2_00442898 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0043F0F0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
1_2_0043F0F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_0045732C IsIconic,GetCapture, |
1_2_0045732C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00457BE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
1_2_00457BE0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00423E14 IsIconic,GetWindowPlacement,GetWindowRect, |
1_2_00423E14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
1_2_00426E24 |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 00000004.00000002.668258285.0000000004CF0000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: WerFault.exe, 00000004.00000002.668258285.0000000004CF0000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW) |
Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
1_2_00426E24 |
Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
1_2_004051AC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA,GetACP, |
1_2_0040C420 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
1_2_0040AE34 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
1_2_0040AE80 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
1_2_004052B8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
1_2_00405AA2 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA, |
1_2_00405AA4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetLocaleInfoA,GetSystemDefaultUILanguage, |
1_2_035A340B |
Source: Yara match |
File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY |