Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp |
Malware Configuration Extractor: FormBook {"C2 list": ["www.serpascarnes.com/8iwd/"], "decoy": ["openhousedigitale.com", "helpindia.store", "josiahspicer.com", "wydancer.com", "athinatoday.com", "asiapartnerspoint.com", "freemakechefsrecipes.com", "metrolistingsservices.com", "assarytagged.quest", "ververevival.com", "cjdue.com", "iqmetaverse.com", "sh-spgdk.com", "spacecitybeauty.com", "phasmatoidea.com", "yz1866.com", "tenlog009.xyz", "gameprizes.xyz", "415know.com", "virus-jestock.com", "fmsgmbh.com", "chinaglobalawarenesscodeday.com", "sekailuxe.com", "luvjoyproperties.com", "amandlaparaffin.com", "dreamcenterabq.com", "finestpoints.com", "lbbed.com", "teamgamecocks.club", "fallscreation.com", "365gy.net", "vtprealtor.com", "emailassure.com", "yogiler.com", "ss2196.com", "csntow.com", "lechotamalamona.com", "kingdomofdavid.kiwi", "ismaella.com", "facebooking.club", "adelinesgrill.com", "uzh.biz", "vivimendes.com", "throwpillowco.com", "honestwealthbuilding.com", "inoutinsurance.xyz", "iqvisory.com", "mkbau-quickborn.com", "sellbesty.com", "south1995officiel.com", "austrahe.com", "trancendentalastroshop.store", "gotcookies.net", "meglutenfree.com", "clayexoticsatl.com", "tonerventes.com", "torresflooringdecorllc.com", "mentication.com", "formula-evolution.com", "likethespirit.com", "reddysinfotech.com", "laketappsapartment.com", "yimailg.com", "0kscp.com"]} |
Source: Yara match |
File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: |
Binary string: cfgmgr32.pdb& source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.350996915.0000000002582000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdbL source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb5o source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb& source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdbT source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: mobsync.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdbd source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wimm32.pdb< source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdbd source: WerFault.exe, 00000024.00000003.444746857.0000000003251000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp |
Source: |
Binary string: profapi.pdbX source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdbB source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb2 source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: Yara match |
File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\Public\Libraries\uxvffdU.url, type: DROPPED |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_50481030 |
7_2_50481030 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_5049C95C |
7_2_5049C95C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_50488C80 |
7_2_50488C80 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_50482D8C |
7_2_50482D8C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_50482D90 |
7_2_50482D90 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_50482FB0 |
7_2_50482FB0 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_50481030 |
29_2_50481030 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_5049C95C |
29_2_5049C95C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_5049CBD0 |
29_2_5049CBD0 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_50488C80 |
29_2_50488C80 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_50482D8C |
29_2_50482D8C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_50482D90 |
29_2_50482D90 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_50482FB0 |
29_2_50482FB0 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50481030 |
34_2_50481030 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049C95C |
34_2_5049C95C |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049CBD0 |
34_2_5049CBD0 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50488C80 |
34_2_50488C80 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50482D8C |
34_2_50482D8C |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50482D90 |
34_2_50482D90 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50482FB0 |
34_2_50482FB0 |
Source: unknown |
Process created: C:\Users\user\Desktop\PO-003785GMHN.exe 'C:\Users\user\Desktop\PO-003785GMHN.exe' |
|
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
|
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\mobsync.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 472 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
|
Source: C:\Windows\SysWOW64\reg.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe' |
|
Source: unknown |
Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe' |
|
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
|
Source: C:\Windows\SysWOW64\mobsync.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 484 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
|
Source: C:\Windows\SysWOW64\secinit.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 236 |
|
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:6840:120:WilError_01 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4908 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5368 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6824 |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: |
Binary string: cfgmgr32.pdb& source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.350996915.0000000002582000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdbL source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb5o source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb& source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdbT source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: mobsync.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.335448704.0000000002B7F000.00000004.00000001.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdbd source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: wimm32.pdb< source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdbd source: WerFault.exe, 00000024.00000003.444746857.0000000003251000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.339305867.0000000004BB1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.422764273.0000000004B51000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.335001499.0000000002B8A000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.444891305.0000000003253000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.335206449.0000000002B84000.00000004.00000001.sdmp |
Source: |
Binary string: profapi.pdbX source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.339313135.0000000004CF0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.422776964.0000000004970000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdbB source: WerFault.exe, 00000011.00000003.339327627.0000000004CF7000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdb2 source: WerFault.exe, 0000001F.00000003.422792063.0000000004977000.00000004.00000040.sdmp |
Source: |
Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.444822340.0000000004F71000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_5049B832 push eax; ret |
7_2_5049B838 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_5049B89C push eax; ret |
7_2_5049B8A2 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_504999A4 push 3788F9D1h; ret |
7_2_504999A9 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_50489294 push ecx; retf |
7_2_50489296 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 7_2_50495EC4 push cs; retf |
7_2_50495ECB |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_5049B83B push eax; ret |
29_2_5049B8A2 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_5049B832 push eax; ret |
29_2_5049B838 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_5049B89C push eax; ret |
29_2_5049B8A2 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_5049C952 push esi; ret |
29_2_5049C954 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_504999A4 push 3788F9D1h; ret |
29_2_504999A9 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_50489294 push ecx; retf |
29_2_50489296 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_50495EC4 push cs; retf |
29_2_50495ECB |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 29_2_5049B7E5 push eax; ret |
29_2_5049B838 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049B83B push eax; ret |
34_2_5049B8A2 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049B832 push eax; ret |
34_2_5049B838 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049B89C push eax; ret |
34_2_5049B8A2 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049C952 push esi; ret |
34_2_5049C954 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_504999A4 push 3788F9D1h; ret |
34_2_504999A9 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50489294 push ecx; retf |
34_2_50489296 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50495EC4 push cs; retf |
34_2_50495ECB |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049B7E5 push eax; ret |
34_2_5049B838 |
Source: PO-003785GMHN.exe |
Static PE information: section name: ..... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ...... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ..... |
Source: PO-003785GMHN.exe |
Static PE information: section name: .... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ...... |
Source: PO-003785GMHN.exe |
Static PE information: section name: .... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ...... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ...... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ..... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ..... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ...... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ..... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: .... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ...... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: .... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ...... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ...... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ..... |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 190000 |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 1A0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: E30000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: E40000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 790000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 7A0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 190000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 1A0000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: E30000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: E40000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 790000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 7A0000 protect: page execute and read and write |
Jump to behavior |
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: mobsync.exe, 00000007.00000000.329301564.0000000003270000.00000002.00020000.sdmp, mobsync.exe, 0000001D.00000000.404702268.0000000003600000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: Yara match |
File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.404787994.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.426230701.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.469320228.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.330145483.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.424373441.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000002.455032727.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.399853067.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.326403501.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.420864858.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001D.00000000.406837359.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.352767592.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.329347583.0000000050481000.00000040.00000001.sdmp, type: MEMORY |