Windows Analysis Report
https://idverificationz.b-cdn.net/idverificationz.zip

Overview

General Information

Sample URL: https://idverificationz.b-cdn.net/idverificationz.zip
Analysis ID: 1545029
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious URL
Drops large PE files
Sigma detected: Potential WinAPI Calls Via CommandLine
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Source: unknown HTTPS traffic detected: 169.150.247.35:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.4.dr
Source: Binary string: .pdb Ascii 'RSML' 'TEXT' "RasMac - Brookhaven PDB file" source: Setup.exe.4.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.4.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: rundll32.exe, 0000000E.00000002.2483804343.000001BB50800000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000015.00000002.2483451458.0000018462990000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000017.00000002.2483858312.000002844FEC0000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000022.00000002.2483280319.000001CD42DC0000.00000002.00000001.01000000.00000005.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.4.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.4.dr
May infect USB drives
Source: Setup.exe.4.dr Binary or memory string: [autorun]
Source: Setup.exe.4.dr Binary or memory string: %sautorun.inf
Source: Setup.exe.4.dr Binary or memory string: C:%s(%c:) - %s%s(%c:)%s(%d:) - %s%s(%d:)[autorun]open%c:\%s%sautorun.infexplorer.exe /e,/root,%c:\%c:\iso
Source: Setup.exe.4.dr Binary or memory string: C:%s(%c:) - %s%s(%c:)%s(%d:) - %s%s(%d:)[autorun]open%c:\%s%sautorun.infexplorer.exe /e,/root,%c:\%c:\iso
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /idverificationz.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: idverificationz.b-cdn.netConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: idverificationz.b-cdn.net
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Setup.exe.4.dr String found in binary or memory: http://forum.ezbsystems.com
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, Setup.exe.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, Setup.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, Setup.exe.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://s.symcd.com06
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.17.dr String found in binary or memory: http://upx.sf.net
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com)
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/easyboot
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.htm
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=ar
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=bg
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=by
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=cn
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=ct
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=cz
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=de
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=dk
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=es
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=et
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=fi
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=fr
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=gr
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=he
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=hr
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=hu
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=id
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=it
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=jp
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=jphttp://www.ezbsystems.com/ultraiso/order.php?u
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=kr
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=lt
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=lv
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=mk
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=my
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=nl
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=no
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=pl
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=pt
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=ro
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=ru
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=se
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=si
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=sk
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=tr
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=tw
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=ua
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=vn
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.com/ultraiso/order.php?uilang=yu
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.comDVarFileInfo$
Source: Setup.exe.4.dr String found in binary or memory: http://www.ezbsystems.comhttp://www.ezbsystems.com/ultraisohttp://www.ezbsystems.com/ultraiso/order.
Source: Setup.exe.4.dr String found in binary or memory: http://www.ultraiso.com
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: wget.exe, 00000002.00000002.2128968030.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr String found in binary or memory: https://idverificationz.b-cdn.net/idverificationz.zip
Source: wget.exe, 00000002.00000002.2129068312.0000000001180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://idverificationz.b-cdn.net/idverificationz.zipOC
Source: 7za.exe, 00000004.00000003.2213270424.00000000011B0000.00000004.00000800.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, Setup.exe.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: https://sectigo.com/CPS0
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr, api-ms-win-core-synch-l1-2-0.dll.4.dr, api-ms-win-core-profile-l1-1-0.dll.4.dr, api-ms-win-crt-convert-l1-1-0.dll.4.dr, api-ms-win-core-string-l1-1-0.dll.4.dr, api-ms-win-crt-math-l1-1-0.dll.4.dr, api-ms-win-core-processthreads-l1-1-1.dll.4.dr, api-ms-win-crt-locale-l1-1-0.dll.4.dr, api-ms-win-core-sysinfo-l1-1-0.dll.4.dr, api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr, api-ms-win-core-util-l1-1-0.dll.4.dr, api-ms-win-crt-environment-l1-1-0.dll.4.dr, api-ms-win-crt-conio-l1-1-0.dll.4.dr, api-ms-win-crt-private-l1-1-0.dll.4.dr, api-ms-win-crt-multibyte-l1-1-0.dll.4.dr, api-ms-win-crt-process-l1-1-0.dll.4.dr, api-ms-win-crt-filesystem-l1-1-0.dll.4.dr, api-ms-win-crt-heap-l1-1-0.dll.4.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 169.150.247.35:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary
barindex
Drops large PE files
Source: C:\Windows\SysWOW64\7za.exe File dump: Setup.exe.4.dr 356923509 Jump to dropped file
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2316 -s 316
PE file does not import any functions
Source: api-ms-win-crt-convert-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr Static PE information: No import functions for PE file found
Source: Setup.exe.4.dr Binary string: \Device\Harddisk%d\Partition4
Source: Setup.exe.4.dr Binary string: \Device\IsoCdRom%d
Source: Setup.exe.4.dr Binary string: >>>%s\Device\IsoCdRom%d\Device\IsoCdRom%dMapDrive\Device\IsoCdRom%d\\.\IsoCdRomISODriveAdd:ISODriveAdd:\\.\IsoCdRom\??\UNC%c:\??\UNC\??\ISODriveMount:ISODrive:%c: Length=%d, Status=%d, Device=%d
Source: Setup.exe.4.dr Binary string: LBA\\.\PhysicalDrive%d\\.\PhysicalDrive%d%d:%d (%c:%s)%d:%d (%c:)%d:%dYESYESFATNTFSFAT32EBR*Unknown%u(%.2f MB)%.2f MB(%.1f GB)%.1f GB(%.1f GB)%.1f GB%c:\\Device\Harddisk%d\Partition4R:
Source: classification engine Classification label: mal52.win@50/41@1/1
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2684:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2316
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5252:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7104
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6208
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6304
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5053c659-896b-401a-a8c7-f973165d6586 Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,FlushInstructionCache
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://idverificationz.b-cdn.net/idverificationz.zip" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://idverificationz.b-cdn.net/idverificationz.zip"
Source: unknown Process created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\idverificationz.zip"
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,FlushInstructionCache
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,GetCurrentProcessorNumber
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,GetCurrentProcessorNumberEx
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2316 -s 316
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",FlushInstructionCache
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentProcessorNumber
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentProcessorNumberEx
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetThreadIdealProcessorEx
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetThreadContext
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetProcessMitigationPolicy
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",OpenProcess
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",IsProcessorFeaturePresent
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadTimes
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadIdealProcessorEx
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadContext
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetProcessMitigationPolicy
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetProcessHandleCount
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentThreadStackLimits
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6208 -s 312
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6304 -s 316
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7104 -s 316
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://idverificationz.b-cdn.net/idverificationz.zip" Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,FlushInstructionCache Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,GetCurrentProcessorNumber Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll,GetCurrentProcessorNumberEx Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",FlushInstructionCache Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentProcessorNumber Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentProcessorNumberEx Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetThreadIdealProcessorEx Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetThreadContext Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",SetProcessMitigationPolicy Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",OpenProcess Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",IsProcessorFeaturePresent Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadTimes Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadIdealProcessorEx Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetThreadContext Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetProcessMitigationPolicy Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetProcessHandleCount Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",GetCurrentThreadStackLimits Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: 7z.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe File written: C:\Users\user\Desktop\extract\ks_tyres.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.4.dr
Source: Binary string: .pdb Ascii 'RSML' 'TEXT' "RasMac - Brookhaven PDB file" source: Setup.exe.4.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.4.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: rundll32.exe, 0000000E.00000002.2483804343.000001BB50800000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000015.00000002.2483451458.0000018462990000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000017.00000002.2483858312.000002844FEC0000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000022.00000002.2483280319.000001CD42DC0000.00000002.00000001.01000000.00000005.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.4.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.4.dr
Binary contains a suspicious time stamp
Source: api-ms-win-crt-conio-l1-1-0.dll.4.dr Static PE information: 0xB5D7273D [Fri Sep 3 21:53:01 2066 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02AEB4B1 pushad ; retn 0078h 2_3_02AEB495
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02AEC8E0 push eax; retf 2_3_02AEC8E1
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02AEB5E0 pushad ; retn 0078h 2_3_02AEB5E5
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02AEB4F9 pushfd ; retn 0000h 2_3_02AEB56B
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_3_02AF3728 pushad ; ret 2_3_02AF372B
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02AF3728 pushad ; ret 2_2_02AF372B

Persistence and Installation Behavior
barindex
AI detected suspicious URL
Source: Email JoeBoxAI: AI detected Brand spoofing attempt in URL: URL: https://idverificationz.b-cdn.net/i
Source: Email JoeBoxAI: AI detected Typosquatting in URL: URL: https://idverificationz.b-cdn.net/i
Drops PE files
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\Setup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\Setup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\Desktop\extract\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 7108 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.17.dr Binary or memory string: VMware
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.17.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.17.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.17.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.17.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: idverificationz.zip.2.dr Binary or memory string: HGFs_5o]
Source: Amcache.hve.17.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.17.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: wget.exe, 00000002.00000002.2128968030.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.17.dr Binary or memory string: vmci.sys
Source: Amcache.hve.17.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.17.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.17.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.17.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.17.dr Binary or memory string: VMware20,1
Source: Amcache.hve.17.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.17.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.17.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.17.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.17.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.17.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.17.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extract\api-ms-win-core-processthreads-l1-1-1.dll",#1 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://idverificationz.b-cdn.net/idverificationz.zip" > cmdline.out 2>&1
Source: Setup.exe.4.dr Binary or memory string: Program Manager
Source: Setup.exe.4.dr Binary or memory string: progman
Source: Setup.exe.4.dr Binary or memory string: LinkUIProgram ManagerprogmanSV
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.17.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.17.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.17.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545029 URL: https://idverificationz.b-c... Startdate: 30/10/2024 Architecture: WINDOWS Score: 52 49 idverificationz.b-cdn.net 2->49 53 AI detected suspicious URL 2->53 55 Sigma detected: Potential WinAPI Calls Via CommandLine 2->55 8 7za.exe 22 2->8         started        12 loaddll64.exe 1 2->12         started        14 cmd.exe 2 2->14         started        signatures3 process4 file5 41 C:\...\api-ms-win-crt-process-l1-1-0.dll, PE32+ 8->41 dropped 43 C:\...\api-ms-win-crt-private-l1-1-0.dll, PE32+ 8->43 dropped 45 C:\...\api-ms-win-crt-multibyte-l1-1-0.dll, PE32+ 8->45 dropped 47 17 other malicious files 8->47 dropped 57 Drops large PE files 8->57 16 conhost.exe 8->16         started        18 cmd.exe 1 12->18         started        20 rundll32.exe 12->20         started        22 rundll32.exe 12->22         started        29 16 other processes 12->29 24 wget.exe 2 14->24         started        27 conhost.exe 14->27         started        signatures6 process7 dnsIp8 31 rundll32.exe 18->31         started        33 WerFault.exe 20 16 20->33         started        35 WerFault.exe 16 22->35         started        51 idverificationz.b-cdn.net 169.150.247.35, 443, 49704 SPIRITTEL-ASUS United States 24->51 37 WerFault.exe 18 29->37         started        39 WerFault.exe 16 29->39         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
169.150.247.35
 idverificationz.b-cdn.net United States
2711 SPIRITTEL-ASUS true

Contacted Domains

Name IP Active
idverificationz.b-cdn.net 169.150.247.35 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://idverificationz.b-cdn.net/idverificationz.zip false
    		unknown