Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp |
Malware Configuration Extractor: FormBook {"C2 list": ["www.serpascarnes.com/8iwd/"], "decoy": ["openhousedigitale.com", "helpindia.store", "josiahspicer.com", "wydancer.com", "athinatoday.com", "asiapartnerspoint.com", "freemakechefsrecipes.com", "metrolistingsservices.com", "assarytagged.quest", "ververevival.com", "cjdue.com", "iqmetaverse.com", "sh-spgdk.com", "spacecitybeauty.com", "phasmatoidea.com", "yz1866.com", "tenlog009.xyz", "gameprizes.xyz", "415know.com", "virus-jestock.com", "fmsgmbh.com", "chinaglobalawarenesscodeday.com", "sekailuxe.com", "luvjoyproperties.com", "amandlaparaffin.com", "dreamcenterabq.com", "finestpoints.com", "lbbed.com", "teamgamecocks.club", "fallscreation.com", "365gy.net", "vtprealtor.com", "emailassure.com", "yogiler.com", "ss2196.com", "csntow.com", "lechotamalamona.com", "kingdomofdavid.kiwi", "ismaella.com", "facebooking.club", "adelinesgrill.com", "uzh.biz", "vivimendes.com", "throwpillowco.com", "honestwealthbuilding.com", "inoutinsurance.xyz", "iqvisory.com", "mkbau-quickborn.com", "sellbesty.com", "south1995officiel.com", "austrahe.com", "trancendentalastroshop.store", "gotcookies.net", "meglutenfree.com", "clayexoticsatl.com", "tonerventes.com", "torresflooringdecorllc.com", "mentication.com", "formula-evolution.com", "likethespirit.com", "reddysinfotech.com", "laketappsapartment.com", "yimailg.com", "0kscp.com"]} |
Source: Yara match |
File source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.366690021.0000000002C27000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460834520.00000000027D5000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484080545.0000000003629000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460217485.00000000027CF000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.485168569.0000000003623000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000010.00000002.384758094.00000000027C2000.00000004.00000001.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb! source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484696549.00000000052E4000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdb; source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: mobsync.pdb source: WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.366127292.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460217485.00000000027CF000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.485168569.0000000003623000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb= source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdbi source: WerFault.exe, 00000024.00000003.489142600.00000000055A1000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000010.00000003.366557441.0000000002C2D000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460535070.00000000027DB000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484105898.000000000362F000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: profapi.pdbO source: WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.366690021.0000000002C27000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460834520.00000000027D5000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484080545.0000000003629000.00000004.00000001.sdmp |
Source: |
Binary string: DpiScaling.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp |
Source: |
Binary string: ole32.pdb/ source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: Yara match |
File source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\Public\Libraries\uxvffdU.url, type: DROPPED |
Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019 |
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Code function: 7_2_50481030 |
7_2_50481030 |
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Code function: 7_2_50488C80 |
7_2_50488C80 |
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Code function: 7_2_5049C95C |
7_2_5049C95C |
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Code function: 7_2_50482D8C |
7_2_50482D8C |
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Code function: 7_2_50482D90 |
7_2_50482D90 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_50481030 |
30_2_50481030 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_5049C95C |
30_2_5049C95C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_5049CBD0 |
30_2_5049CBD0 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_50488C80 |
30_2_50488C80 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_50482D8C |
30_2_50482D8C |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_50482D90 |
30_2_50482D90 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_50482FB0 |
30_2_50482FB0 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50481030 |
34_2_50481030 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049C95C |
34_2_5049C95C |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049CBD0 |
34_2_5049CBD0 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50488C80 |
34_2_50488C80 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50482D8C |
34_2_50482D8C |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50482D90 |
34_2_50482D90 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50482FB0 |
34_2_50482FB0 |
Source: unknown |
Process created: C:\Users\user\Desktop\PO-003785GMHN.exe 'C:\Users\user\Desktop\PO-003785GMHN.exe' |
|
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe |
|
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
|
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 496 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I |
|
Source: unknown |
Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe' |
|
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
|
Source: C:\Windows\SysWOW64\reg.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe' |
|
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
|
Source: C:\Windows\SysWOW64\mobsync.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 484 |
|
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
|
Source: C:\Windows\SysWOW64\secinit.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 236 |
|
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM ' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2228 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_01 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4776 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6824 |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
|
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.366690021.0000000002C27000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460834520.00000000027D5000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484080545.0000000003629000.00000004.00000001.sdmp |
Source: |
Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460217485.00000000027CF000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.485168569.0000000003623000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000010.00000002.384758094.00000000027C2000.00000004.00000001.sdmp |
Source: |
Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb! source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484696549.00000000052E4000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: fltLib.pdb; source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: mobsync.pdb source: WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.366127292.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460217485.00000000027CF000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.485168569.0000000003623000.00000004.00000001.sdmp |
Source: |
Binary string: shcore.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: shell32.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: advapi32.pdb= source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdbi source: WerFault.exe, 00000024.00000003.489142600.00000000055A1000.00000004.00000040.sdmp |
Source: |
Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000010.00000003.366557441.0000000002C2D000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460535070.00000000027DB000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484105898.000000000362F000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: |
Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: profapi.pdbO source: WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.366690021.0000000002C27000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460834520.00000000027D5000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484080545.0000000003629000.00000004.00000001.sdmp |
Source: |
Binary string: DpiScaling.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp |
Source: |
Binary string: ole32.pdb/ source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp |
Source: |
Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Code function: 7_2_5049B832 push eax; ret |
7_2_5049B838 |
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Code function: 7_2_5049B89C push eax; ret |
7_2_5049B8A2 |
Source: C:\Windows\SysWOW64\DpiScaling.exe |
Code function: 7_2_50489294 push ecx; retf |
7_2_50489296 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_5049B83B push eax; ret |
30_2_5049B8A2 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_5049B832 push eax; ret |
30_2_5049B838 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_5049B89C push eax; ret |
30_2_5049B8A2 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_5049C952 push esi; ret |
30_2_5049C954 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_504999A4 push 3788F9D1h; ret |
30_2_504999A9 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_50489294 push ecx; retf |
30_2_50489296 |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_50495EC4 push cs; retf |
30_2_50495ECB |
Source: C:\Windows\SysWOW64\mobsync.exe |
Code function: 30_2_5049B7E5 push eax; ret |
30_2_5049B838 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049B83B push eax; ret |
34_2_5049B8A2 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049B832 push eax; ret |
34_2_5049B838 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049B89C push eax; ret |
34_2_5049B8A2 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049C952 push esi; ret |
34_2_5049C954 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_504999A4 push 3788F9D1h; ret |
34_2_504999A9 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50489294 push ecx; retf |
34_2_50489296 |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_50495EC4 push cs; retf |
34_2_50495ECB |
Source: C:\Windows\SysWOW64\secinit.exe |
Code function: 34_2_5049B7E5 push eax; ret |
34_2_5049B838 |
Source: PO-003785GMHN.exe |
Static PE information: section name: ..... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ...... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ..... |
Source: PO-003785GMHN.exe |
Static PE information: section name: .... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ...... |
Source: PO-003785GMHN.exe |
Static PE information: section name: .... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ...... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ...... |
Source: PO-003785GMHN.exe |
Static PE information: section name: ..... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ..... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ...... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ..... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: .... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ...... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: .... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ...... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ...... |
Source: Udffvxu.exe.1.dr |
Static PE information: section name: ..... |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: WerFault.exe, 00000020.00000002.493334163.00000000048B0000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW- |
Source: WerFault.exe, 00000024.00000002.508314078.00000000052D0000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW(._ |
Source: WerFault.exe, 00000010.00000003.381716313.0000000004B2C000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAWF |
Source: WerFault.exe, 00000010.00000003.381716313.0000000004B2C000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000002.493420445.00000000048CD000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.505411077.00000000035E7000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: WerFault.exe, 00000010.00000003.381944567.0000000004B11000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAWh |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: CE0000 |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: CF0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 170000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\mobsync.exe base: 180000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: CF0000 |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory written: C:\Windows\SysWOW64\secinit.exe base: D00000 |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: CE0000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: CF0000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 170000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 180000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: CF0000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Memory allocated: C:\Windows\SysWOW64\secinit.exe base: D00000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\PO-003785GMHN.exe |
Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM ' |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f |
Jump to behavior |
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe |
Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe |
Jump to behavior |
Source: DpiScaling.exe, 00000007.00000000.358761161.0000000003470000.00000002.00020000.sdmp, mobsync.exe, 0000001E.00000000.455042807.00000000033F0000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: DpiScaling.exe, 00000007.00000000.358761161.0000000003470000.00000002.00020000.sdmp, mobsync.exe, 0000001E.00000000.455042807.00000000033F0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: DpiScaling.exe, 00000007.00000000.358761161.0000000003470000.00000002.00020000.sdmp, mobsync.exe, 0000001E.00000000.455042807.00000000033F0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: DpiScaling.exe, 00000007.00000000.358761161.0000000003470000.00000002.00020000.sdmp, mobsync.exe, 0000001E.00000000.455042807.00000000033F0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: Yara match |
File source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY |