Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000784E0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then movzx edx, word ptr [eax] |
6_2_000646F0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc dword ptr [esp+40h] |
6_2_000743C0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000743C0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_00072C44 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc ecx |
6_2_0007B050 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_00073860 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec ecx |
6_2_00081890 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_00081890 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000698D0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc esp |
6_2_000624E0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h |
6_2_00061500 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000789B0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_00065DF0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then movzx ecx, word ptr [eax+02h] |
6_2_00069200 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then movzx eax, byte ptr [ebx] |
6_2_0007BE20 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc esp |
6_2_0007B240 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then dec eax |
6_2_000772A0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then inc edx |
6_2_0006BEC0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then movzx ebx, word ptr [eax] |
6_2_00073B00 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 4x nop then mov ebx, edx |
6_2_0006EBE0 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 108.170.20.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 108.170.20.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 108.170.20.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 108.170.20.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 108.170.20.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 108.170.20.75 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 142.202.191.164 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 200.52.147.93 |
Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: wermgr.exe, 00000006.00000002.2343826790.00000000002C1000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.6.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enl |
Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0% |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0- |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.comodoca.com05 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://ocsp.entrust.net0D |
Source: wermgr.exe, 00000006.00000002.2348794656.00000000334F0000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: wermgr.exe, 00000006.00000002.2349584225.0000000034050000.00000002.00000001.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: wermgr.exe, 00000006.00000002.2348794656.00000000334F0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: wermgr.exe, 00000006.00000002.2343779349.000000000024A000.00000004.00000020.sdmp |
String found in binary or memory: https://142.202.191.164/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file/ |
Source: wermgr.exe, 00000006.00000002.2343826790.00000000002C1000.00000004.00000020.sdmp, wermgr.exe, 00000006.00000002.2343761722.000000000021E000.00000004.00000020.sdmp |
String found in binary or memory: https://200.52.147.93/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file/ |
Source: wermgr.exe, 00000006.00000002.2343761722.000000000021E000.00000004.00000020.sdmp |
String found in binary or memory: https://200.52.147.93/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file// |
Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmp |
String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: Screenshot number: 4 |
Screenshot OCR: Enable editing button from the yellow bar above 15 16 Once you have enabled editing, please click |
Source: Screenshot number: 4 |
Screenshot OCR: Enable content button ,1 " from the yellow bar above )1 23 24 25 26 27 28 29 30 31 32 3 |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable content button from the yellow bar above I \ , I ' / |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable content button from the yellow bar above j' |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00082060 |
6_2_00082060 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007BCA0 |
6_2_0007BCA0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00078CA0 |
6_2_00078CA0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006E0F0 |
6_2_0006E0F0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00061290 |
6_2_00061290 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000743C0 |
6_2_000743C0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00068010 |
6_2_00068010 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00077840 |
6_2_00077840 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00080870 |
6_2_00080870 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000644C0 |
6_2_000644C0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000790E0 |
6_2_000790E0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000714F0 |
6_2_000714F0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00061500 |
6_2_00061500 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00076100 |
6_2_00076100 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00076D10 |
6_2_00076D10 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00072580 |
6_2_00072580 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000789B0 |
6_2_000789B0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00069200 |
6_2_00069200 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007CA00 |
6_2_0007CA00 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007BE20 |
6_2_0007BE20 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00077630 |
6_2_00077630 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007CE70 |
6_2_0007CE70 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006A280 |
6_2_0006A280 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006C290 |
6_2_0006C290 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006CEB0 |
6_2_0006CEB0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0007B700 |
6_2_0007B700 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00073B00 |
6_2_00073B00 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_0006E310 |
6_2_0006E310 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00062720 |
6_2_00062720 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00075F70 |
6_2_00075F70 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000763A8 |
6_2_000763A8 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000717B0 |
6_2_000717B0 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_000A0040 |
6_2_000A0040 |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer |
|
Source: unknown |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
|
Source: unknown |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wermgr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wermgr.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wermgr.exe |
Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried,fileOpened,directoryQueried |
Source: C:\Windows\System32\wermgr.exe |
RDTSC instruction interceptor: First address: 000000000006EAD0 second address: 000000000006EAD0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0000E3AEh] 0x00000013 jmp 00007F527C7F7B90h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov esi, edi 0x00000039 dec eax 0x0000003a xor esi, FFFFFF00h 0x00000040 dec ecx 0x00000041 and esi, edi 0x00000043 call 00007F527C7EFA26h 0x00000048 rdtsc |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E85B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_6E85B044 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_6E857DE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_6E857DE5 |
Source: C:\Windows\System32\wermgr.exe |
Code function: 6_2_00082060 SleepEx,SetTimer,RtlAddVectoredExceptionHandler, |
6_2_00082060 |
Source: wermgr.exe, 00000006.00000002.2343875253.0000000000750000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: wermgr.exe, 00000006.00000002.2343875253.0000000000750000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: wermgr.exe, 00000006.00000002.2343875253.0000000000750000.00000002.00000001.sdmp |
Binary or memory string: !Progman |
Source: Yara match |
File source: 00000004.00000002.2081720951.00000000005D8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.2077502883.0000000000764000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2081503635.0000000000130000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.2077497175.0000000000764000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2081774299.0000000000730000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 4.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000004.00000002.2081720951.00000000005D8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.2077502883.0000000000764000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2081503635.0000000000130000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000003.2077497175.0000000000764000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2081774299.0000000000730000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match |
File source: 4.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE |