Source: Process started | Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4700, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ProcessId: 6376 |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302815879.0000000004700000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302841725.0000000002A15000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303283707.0000000002A15000.00000004.00000001.sdmp |
Source: | Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.319844575.0000000002352000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.299917614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302836365.0000000002A0F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303491790.0000000002A0F000.00000004.00000001.sdmp |
Source: | Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: ws2_32.pdbm source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.303138336.0000000002A1B000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: imagehlp.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll |
Source: | Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.302836365.0000000002A0F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303491790.0000000002A0F000.00000004.00000001.sdmp |
Source: | Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: dwmapi.pdbv source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.299917614.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: profapi.pdbs source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: propsys.pdba source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: imagehlp.pdby source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wimm32.pdbe source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.303138336.0000000002A1B000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: rundll32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.302841725.0000000002A15000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303283707.0000000002A15000.00000004.00000001.sdmp |
Source: | Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: cryptbase.pdbg source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: powrprof.pdb[ source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: WerFault.exe, 00000005.00000003.318664228.000000000467A000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.320153185.000000000467A000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: Amcache.hve.5.dr | String found in binary or memory: http://upx.sf.net |
Source: loaddll32.exe, 00000000.00000002.694831298.000000006EB3F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.298260895.000000006EB3F000.00000002.00020000.sdmp | String found in binary or memory: http://www.baxleystamps.comDVarFileInfo$ |
Source: Yara match | File source: 2.2.rundll32.exe.6eb20000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.1.rundll32.exe.6eb20000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.1.rundll32.exe.6eb20000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.0.rundll32.exe.6eb20000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.0.rundll32.exe.6eb20000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.6eb20000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.694559765.000000006EB21000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000000.296075681.000000006EB21000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.324884043.000000006EB21000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000000.298180742.000000006EB21000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000001.292482173.000000006EB20000.00000004.00020000.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB30730 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB39370 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB21494 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB2A4E8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB3143C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB28428 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB30730 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB39370 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB21494 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB2A4E8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB3143C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB28428 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB29088 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll" |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 672 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302815879.0000000004700000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302841725.0000000002A15000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303283707.0000000002A15000.00000004.00000001.sdmp |
Source: | Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: sfc_os.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000005.00000002.319844575.0000000002352000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.299917614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.302836365.0000000002A0F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303491790.0000000002A0F000.00000004.00000001.sdmp |
Source: | Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: ws2_32.pdbm source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.303138336.0000000002A1B000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: mpr.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: imagehlp.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll |
Source: | Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.302836365.0000000002A0F000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303491790.0000000002A0F000.00000004.00000001.sdmp |
Source: | Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: winspool.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: dwmapi.pdbv source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: shell32.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.299917614.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: profapi.pdbs source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: AcLayers.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: propsys.pdba source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: imagehlp.pdby source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wimm32.pdbe source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.303138336.0000000002A1B000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.307774943.0000000004B50000.00000004.00000040.sdmp |
Source: | Binary string: rundll32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.302841725.0000000002A15000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.303283707.0000000002A15000.00000004.00000001.sdmp |
Source: | Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: sfc.pdb source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.307766584.00000000049C1000.00000004.00000001.sdmp |
Source: | Binary string: cryptbase.pdbg source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: | Binary string: powrprof.pdb[ source: WerFault.exe, 00000005.00000003.307779684.0000000004B56000.00000004.00000040.sdmp |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB2F6A8 push esi; mov dword ptr [esp], 00000000h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB2F6A8 push esi; mov dword ptr [esp], 00000000h |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB3B77F push eax; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB3B8CB push esp; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_1_6EB3B847 push esp; ret |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: Amcache.hve.5.dr | Binary or memory string: VMware |
Source: Amcache.hve.5.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.5.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.5.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.5.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.5.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.5.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.5.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.5.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.5.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.5.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: WerFault.exe, 00000005.00000002.320067944.0000000004630000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.318716498.0000000004668000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000002.320142264.0000000004668000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.5.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.5.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.5.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.5.dr | Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7 |
Source: Amcache.hve.5.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.5.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB26D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: loaddll32.exe, 00000000.00000002.689868887.0000000001170000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.297771954.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.295296097.0000000003860000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000000.00000002.689868887.0000000001170000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.297771954.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.295296097.0000000003860000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.689868887.0000000001170000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.297771954.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.295296097.0000000003860000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.689868887.0000000001170000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.297771954.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.295296097.0000000003860000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EB26D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.