Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000784E0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000789B0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then movzx ecx, word ptr [eax+02h] |
6_2_00069200 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then mov ecx, 00004E20h |
6_2_00082659 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then movzx edx, word ptr [eax] |
6_2_000646F0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc dword ptr [esp+40h] |
6_2_000743C0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000743C0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_00072C44 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc ecx |
6_2_0007B050 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_00073860 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec ecx |
6_2_00081890 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_00081890 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000698D0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc esp |
6_2_000624E0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h |
6_2_00061500 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_00065DF0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then movzx eax, byte ptr [ebx] |
6_2_0007BE20 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc esp |
6_2_0007B240 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000772A0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc edx |
6_2_0006BEC0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then movzx ebx, word ptr [eax] |
6_2_00073B00 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then mov ebx, edx |
6_2_0006EBE0 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.249.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.249.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.249.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.249.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.249.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.5.249.156 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.119.186.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.119.186.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.119.186.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.119.186.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.119.186.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 134.119.186.202 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.61.101.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 36.94.62.207 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.61.101.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 103.61.101.11 |
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: wermgr.exe, 00000006.00000002.2353198555.000000000026D000.00000004.00000020.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.6.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0% |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0- |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com05 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.entrust.net0D |
Source: wermgr.exe, 00000006.00000002.2358312304.0000000033540000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2353183950.00000000007C0000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: wermgr.exe, 00000006.00000002.2359153386.00000000340E0000.00000002.00000001.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: wermgr.exe, 00000006.00000002.2358312304.0000000033540000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2353183950.00000000007C0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: wermgr.exe, 00000006.00000002.2359101614.0000000033E80000.00000004.00000001.sdmp |
String found in binary or memory: https://103.61.101.11:447/rob60/971342_W617601.BB08CBD1CB3BE0D331A29013BDDA57AE/5/pwgrab64/ |
Source: wermgr.exe, 00000006.00000002.2353202046.0000000000272000.00000004.00000020.sdmp |
String found in binary or memory: https://36.94.62.207/rob60/971342_W617601.BB |
Source: wermgr.exe, 00000006.00000002.2359101614.0000000033E80000.00000004.00000001.sdmp |
String found in binary or memory: https://36.94.62.207/rob60/971342_W617601.BB08CBD1CB3BE0D331A29013BDDA57AE/14/NAT%20status/client%20 |
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp |
String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49168 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49167 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49176 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49174 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49172 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49168 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49170 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49167 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49171 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49176 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49173 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49174 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49178 -> 443 |
Source: Screenshot number: 4 |
Screenshot OCR: Enable editing button from the yellow bar above d 15 16 Once you have enabled editing, please clic |
Source: Screenshot number: 4 |
Screenshot OCR: Enable content button ' ' "==~ " from the yellow bar above 1| 6~_ 24 25 26 27 28 ' D G) 2 |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable content button from the yellow bar above I \ , I ' / |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable content button from the yellow bar above j' |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00068010 |
6_2_00068010 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00082060 |
6_2_00082060 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007BCA0 |
6_2_0007BCA0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00078CA0 |
6_2_00078CA0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006E0F0 |
6_2_0006E0F0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000789B0 |
6_2_000789B0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00069200 |
6_2_00069200 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00061290 |
6_2_00061290 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000743C0 |
6_2_000743C0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00077840 |
6_2_00077840 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00080870 |
6_2_00080870 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000644C0 |
6_2_000644C0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000790E0 |
6_2_000790E0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000714F0 |
6_2_000714F0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00061500 |
6_2_00061500 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00076100 |
6_2_00076100 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00076D10 |
6_2_00076D10 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00072580 |
6_2_00072580 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007CA00 |
6_2_0007CA00 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007BE20 |
6_2_0007BE20 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00077630 |
6_2_00077630 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007CE70 |
6_2_0007CE70 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006A280 |
6_2_0006A280 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006C290 |
6_2_0006C290 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006CEB0 |
6_2_0006CEB0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007B700 |
6_2_0007B700 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00073B00 |
6_2_00073B00 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006E310 |
6_2_0006E310 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00062720 |
6_2_00062720 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00075F70 |
6_2_00075F70 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000763A8 |
6_2_000763A8 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000717B0 |
6_2_000717B0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000A0040 |
6_2_000A0040 |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer |
|
Source: unknown |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
|
Source: unknown |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
|
Source: unknown |
Process created: C:\Windows\System32\taskeng.exe taskeng.exe {C999D15C-7BEE-4793-989A-0EF4E6A22007} S-1-5-18:NT AUTHORITY\System:Service: |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor8751465376\kiBASEzv.rrd',DllRegisterServer |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
Jump to behavior |
Source: C:\Windows\System32\taskeng.exe |
Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor8751465376\kiBASEzv.rrd',DllRegisterServer |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wermgr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wermgr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wermgr.exe |
Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,handleClosed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried,fileOpened |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E83B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_6E83B044 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E837DE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_6E837DE5 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00082060 SetCurrentDirectoryW,SleepEx,SetTimer,RtlAddVectoredExceptionHandler, |
6_2_00082060 |
Source: Yara match |
File source: 00000004.00000002.2091575281.00000000006D0000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2091432238.0000000000180000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2092159762.00000000021E8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.2087481809.0000000000704000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.2087500682.0000000000704000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 4.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.2091575281.00000000006D0000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2091432238.0000000000180000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2092159762.00000000021E8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.2087481809.0000000000704000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.2087500682.0000000000704000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 4.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE |