Source: 4.2.rundll32.exe.70980000.3.unpack |
Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]} |
Source: 1.2.loaddll32.exe.8f0000.1.unpack |
Avira: Label: TR/ATRAPS.Gen2 |
Source: 5.2.rundll32.exe.3390000.2.unpack |
Avira: Label: TR/ATRAPS.Gen2 |
Source: 4.2.rundll32.exe.2cc0000.1.unpack |
Avira: Label: TR/ATRAPS.Gen2 |
Source: BJKPKLUPiD.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: BJKPKLUPiD.dll |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: opengl32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.669606203.0000000004E02000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000E.00000003.669606203.0000000004E02000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.398421217.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.475061167.000000004B280000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: glu32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.398421217.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.475061167.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb| source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: fffp4.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp, BJKPKLUPiD.dll |
Source: |
Binary string: wimm32.pdbn source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.662739422.0000000002CF8000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.675254506.0000000000892000.00000004.00000010.sdmp |
Source: Malware configuration extractor |
IPs: 94.247.168.64:443 |
Source: Malware configuration extractor |
IPs: 159.203.93.122:8172 |
Source: Malware configuration extractor |
IPs: 50.116.27.97:2303 |
Source: Joe Sandbox View |
IP Address: 159.203.93.122 159.203.93.122 |
Source: Joe Sandbox View |
IP Address: 50.116.27.97 50.116.27.97 |
Source: Joe Sandbox View |
IP Address: 94.247.168.64 94.247.168.64 |
Source: Joe Sandbox View |
ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS |
Source: Joe Sandbox View |
ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS |
Source: Joe Sandbox View |
ASN Name: GLESYS-ASSE GLESYS-ASSE |
Source: BJKPKLUPiD.dll |
String found in binary or memory: http://ansicon.adoxa.vze.com/6 |
Source: loaddll32.exe, 00000001.00000002.677687815.000000000099B000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Initial file |
Signature Results: Dridex dropper behavior |
|
Source: Yara match |
File source: 00000004.00000002.727624069.0000000070981000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.728718792.0000000070981000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 5.2.rundll32.exe.70980000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 4.2.rundll32.exe.70980000.3.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process Stats: CPU usage > 98% |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_7099218C NtDelayExecution, |
4_2_7099218C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_70992790 NtAllocateVirtualMemory, |
4_2_70992790 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_7098BC00 NtClose, |
4_2_7098BC00 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_70981494 |
4_2_70981494 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_709907CC |
4_2_709907CC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_709914D8 |
4_2_709914D8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_709884E4 |
4_2_709884E4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_7098A5A4 |
4_2_7098A5A4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_70989144 |
4_2_70989144 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_709992DC |
4_2_709992DC |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6528 -s 148 |
Source: BJKPKLUPiD.dll |
Binary or memory string: OriginalFilenameANSI32.dll0 vs BJKPKLUPiD.dll |
Source: BJKPKLUPiD.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: BJKPKLUPiD.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6528 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE11.tmp |
Jump to behavior |
Source: BJKPKLUPiD.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6528 -s 148 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',ReadLogRecord |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 |
Jump to behavior |
Source: BJKPKLUPiD.dll |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: BJKPKLUPiD.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: opengl32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.669606203.0000000004E02000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000E.00000003.669606203.0000000004E02000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.398421217.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.475061167.000000004B280000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: glu32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.398421217.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.475061167.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb| source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: fffp4.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp, BJKPKLUPiD.dll |
Source: |
Binary string: wimm32.pdbn source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.662739422.0000000002CF8000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.669611843.0000000004E07000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.669628863.0000000004E00000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.669594927.0000000004E31000.00000004.00000001.sdmp |
Source: |
Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.675254506.0000000000892000.00000004.00000010.sdmp |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_7098F744 push esi; mov dword ptr [esp], 00000000h |
4_2_7098F745 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.55877156847 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Section loaded: OutputDebugStringW count: 1684 |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: \KnownDlls32\testapp.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Section loaded: \KnownDlls32\testapp.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Section loaded: \KnownDlls32\testapp.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Window / User API: threadDelayed 964 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Window / User API: threadDelayed 720 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_709907CC GetTokenInformation,GetSystemInfo,GetTokenInformation, |
4_2_709907CC |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: WerFault.exe, 0000000E.00000002.676452100.0000000004F20000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 0000000E.00000002.676452100.0000000004F20000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 0000000E.00000002.676452100.0000000004F20000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 0000000E.00000002.676452100.0000000004F20000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_70986DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
4_2_70986DC8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_70993060 RtlAddVectoredExceptionHandler, |
4_2_70993060 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\BJKPKLUPiD.dll',#1 |
Jump to behavior |
Source: rundll32.exe, 00000004.00000002.725490556.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.726388179.00000000038C0000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: rundll32.exe, 00000004.00000002.725490556.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.726388179.00000000038C0000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: rundll32.exe, 00000004.00000002.725490556.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.726388179.00000000038C0000.00000002.00000001.sdmp |
Binary or memory string: &Program Manager |
Source: rundll32.exe, 00000004.00000002.725490556.0000000003280000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.726388179.00000000038C0000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
4_2_70986DC8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_70986DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
4_2_70986DC8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |