Source: 0.2.loaddll32.exe.ec0000.1.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: qMus8K6kXx.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: qMus8K6kXx.dll | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: opengl32.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.557121244.0000000005064000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.551211425.0000000000DB1000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wgdi32full.pdbk source: WerFault.exe, 00000012.00000003.557121244.0000000005064000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.286166045.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.353723939.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: glu32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.286166045.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.353723939.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.552765546.0000000000DAB000.00000004.00000001.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: fffp4.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp, qMus8K6kXx.dll |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.551555159.0000000000DB7000.00000004.00000001.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.551555159.0000000000DB7000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.551211425.0000000000DB1000.00000004.00000001.sdmp |
Source: | Binary string: wimm32.pdb\ source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: a1pjr4pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.575659374.0000000000A92000.00000004.00000010.sdmp |
Source: | Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.551204253.0000000000DAB000.00000004.00000001.sdmp |
Source: qMus8K6kXx.dll | String found in binary or memory: http://ansicon.adoxa.vze.com/6 |
Source: Initial file | Signature Results: Dridex dropper behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process Stats: CPU usage > 98% |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 416 |
Source: qMus8K6kXx.dll | Binary or memory string: OriginalFilenameANSI32.dll0 vs qMus8K6kXx.dll |
Source: qMus8K6kXx.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: qMus8K6kXx.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal60.bank.evad.winDLL@8/4@0/1 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1536 |
Source: C:\Windows\SysWOW64\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CA2.tmp | Jump to behavior |
Source: qMus8K6kXx.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',ReadLogRecord |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 416 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',ReadLogRecord |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1 |
Source: qMus8K6kXx.dll | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: qMus8K6kXx.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: opengl32.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.557121244.0000000005064000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.551211425.0000000000DB1000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wgdi32full.pdbk source: WerFault.exe, 00000012.00000003.557121244.0000000005064000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.286166045.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.353723939.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: glu32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.286166045.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.353723939.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.552765546.0000000000DAB000.00000004.00000001.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: fffp4.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp, qMus8K6kXx.dll |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.551555159.0000000000DB7000.00000004.00000001.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.551555159.0000000000DB7000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.551211425.0000000000DB1000.00000004.00000001.sdmp |
Source: | Binary string: wimm32.pdb\ source: WerFault.exe, 00000012.00000003.557127342.0000000005067000.00000004.00000040.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.557115775.0000000005060000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.557079049.0000000005091000.00000004.00000001.sdmp |
Source: | Binary string: a1pjr4pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000012.00000002.575659374.0000000000A92000.00000004.00000010.sdmp |
Source: | Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.551204253.0000000000DAB000.00000004.00000001.sdmp |
Source: initial sample | Static PE information: section name: .text entropy: 7.55877156847 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: OutputDebugStringW count: 1603 |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: \KnownDlls32\testapp.exe |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\testapp.exe |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\testapp.exe |
Source: C:\Windows\SysWOW64\rundll32.exe | Window / User API: threadDelayed 916 |
Source: C:\Windows\SysWOW64\rundll32.exe | Window / User API: threadDelayed 684 |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe | Thread delayed: delay time: 120000 |
Source: WerFault.exe, 00000012.00000002.579940482.0000000004DC0000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 00000012.00000002.579940482.0000000004DC0000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 00000012.00000002.579940482.0000000004DC0000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 00000012.00000002.579940482.0000000004DC0000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qMus8K6kXx.dll',#1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.