Source: 2.3.rundll32.exe.2c3a427.0.raw.unpack |
Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"} |
Source: |
Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: shlwapi.pdb+ source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp |
Source: |
Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.871565860.00000000032AE000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: TextInputFramework.pdb4h source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp |
Source: |
Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.910074848.000000006D4C9000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.911410296.000000006D4C9000.00000002.00020000.sdmp, nT5pUwoJSS.dll |
Source: |
Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: sfc.pdb4a source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: mpr.pdb7` source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C84C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
3_2_02C84C3B |
Source: WerFault.exe, 0000000E.00000003.889153103.0000000005072000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.microsoft |
Source: {4BD5DCDF-B312-11EB-90EB-ECF4BBEA1588}.dat.17.dr |
String found in binary or memory: https://outlook.office365.com/login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/ |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49755 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49758 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49759 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49759 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49758 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49755 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49756 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49756 |
Source: Yara match |
File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue |
Source: C:\Windows\SysWOW64\rundll32.exe |
WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4823A5 NtQueryVirtualMemory, |
0_2_6D4823A5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4815F1 GetProcAddress,NtCreateSection,memset, |
3_2_6D4815F1 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D481F14 NtMapViewOfSection, |
3_2_6D481F14 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4823A5 NtQueryVirtualMemory, |
3_2_6D4823A5 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C81168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, |
3_2_02C81168 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C8B2F1 NtQueryVirtualMemory, |
3_2_02C8B2F1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D482184 |
0_2_6D482184 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4B8960 |
0_2_6D4B8960 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4C2153 |
0_2_6D4C2153 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D482184 |
3_2_6D482184 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C8B0CC |
3_2_02C8B0CC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C8696A |
3_2_02C8696A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C81B6A |
3_2_02C81B6A |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4B8960 |
3_2_6D4B8960 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4C2153 |
3_2_6D4C2153 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Order |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Smileschool |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 892 |
|
Source: unknown |
Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding |
|
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5516 CREDAT:17410 /prefetch:2 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Order |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Smileschool |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 |
Jump to behavior |
Source: C:\Program Files\internet explorer\iexplore.exe |
Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5516 CREDAT:17410 /prefetch:2 |
Jump to behavior |
Source: nT5pUwoJSS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: nT5pUwoJSS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: nT5pUwoJSS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: nT5pUwoJSS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: nT5pUwoJSS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: nT5pUwoJSS.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: |
Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: shlwapi.pdb+ source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp |
Source: |
Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.871565860.00000000032AE000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: TextInputFramework.pdb4h source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp |
Source: |
Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.910074848.000000006D4C9000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.911410296.000000006D4C9000.00000002.00020000.sdmp, nT5pUwoJSS.dll |
Source: |
Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: sfc.pdb4a source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: |
Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp |
Source: |
Binary string: mpr.pdb7` source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp |
Source: nT5pUwoJSS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: nT5pUwoJSS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: nT5pUwoJSS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: nT5pUwoJSS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: nT5pUwoJSS.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D482173 push ecx; ret |
0_2_6D482183 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D482120 push ecx; ret |
0_2_6D482129 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D492C15 push ebp; retf |
0_2_6D492C16 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D494348 push ss; ret |
0_2_6D49434B |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4C2761 push ecx; ret |
0_2_6D4C2774 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D49778D pushfd ; ret |
0_2_6D4977AB |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D492F9A push edi; retf |
0_2_6D492FA4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D482173 push ecx; ret |
3_2_6D482183 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D482120 push ecx; ret |
3_2_6D482129 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C8B0BB push ecx; ret |
3_2_02C8B0CB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C8AD00 push ecx; ret |
3_2_02C8AD09 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D492C15 push ebp; retf |
3_2_6D492C16 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D494348 push ss; ret |
3_2_6D49434B |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4C2761 push ecx; ret |
3_2_6D4C2774 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D49778D pushfd ; ret |
3_2_6D4977AB |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D492F9A push edi; retf |
3_2_6D492FA4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_06B3F7B4 push 776EF672h; iretd |
4_2_06B3F7E5 |
Source: Yara match |
File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C84C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, |
3_2_02C84C3B |
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 0000000E.00000003.889249389.0000000005046000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4F5770 mov eax, dword ptr fs:[00000030h] |
0_2_6D4F5770 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4F56A6 mov eax, dword ptr fs:[00000030h] |
0_2_6D4F56A6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4F52AD push dword ptr fs:[00000030h] |
0_2_6D4F52AD |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4F5770 mov eax, dword ptr fs:[00000030h] |
3_2_6D4F5770 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4F56A6 mov eax, dword ptr fs:[00000030h] |
3_2_6D4F56A6 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4F52AD push dword ptr fs:[00000030h] |
3_2_6D4F52AD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4C150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6D4C150C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4C636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6D4C636F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D4C2F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6D4C2F08 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4C150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_6D4C150C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4C636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
3_2_6D4C636F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6D4C2F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
3_2_6D4C2F08 |
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6D481237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, |
0_2_6D481237 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_02C82D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, |
3_2_02C82D6E |
Source: Yara match |
File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY |