{"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}
Source: 4.2.rundll32.exe.728a0000.3.unpack | Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]} |
Source: 1.2.loaddll32.exe.3a0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 3.2.rundll32.exe.25e0000.2.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 4.2.rundll32.exe.32a0000.2.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: CTkT1fRtQv.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: CTkT1fRtQv.dll | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: opengl32.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.736445673.0000000005135000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.736408490.0000000005132000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: wgdi32full.pdbk source: WerFault.exe, 00000007.00000003.736445673.0000000005135000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.725254393.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.800213949.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: glu32.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.725254393.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.800213949.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000007.00000002.744696261.00000000009A2000.00000004.00000010.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.736445673.0000000005135000.00000004.00000040.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: fffp4.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp, CTkT1fRtQv.dll |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.736439956.0000000005130000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32.pdbk source: WerFault.exe, 00000007.00000003.736445673.0000000005135000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.731326063.0000000002FA8000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.736408490.0000000005132000.00000004.00000040.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.731326063.0000000002FA8000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.736408490.0000000005132000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.736439956.0000000005130000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.731124198.0000000002FA2000.00000004.00000001.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000007.00000003.736408490.0000000005132000.00000004.00000040.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.736439956.0000000005130000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.732014556.0000000002F9C000.00000004.00000001.sdmp |
Source: Malware configuration extractor | IPs: 94.247.168.64:443 |
Source: Malware configuration extractor | IPs: 159.203.93.122:8172 |
Source: Malware configuration extractor | IPs: 50.116.27.97:2303 |
Source: Joe Sandbox View | IP Address: 159.203.93.122 159.203.93.122 |
Source: Joe Sandbox View | IP Address: 50.116.27.97 50.116.27.97 |
Source: Joe Sandbox View | IP Address: 94.247.168.64 94.247.168.64 |
Source: Joe Sandbox View | ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS |
Source: Joe Sandbox View | ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS |
Source: Joe Sandbox View | ASN Name: GLESYS-ASSE GLESYS-ASSE |
Source: CTkT1fRtQv.dll | String found in binary or memory: http://ansicon.adoxa.vze.com/6 |
Source: Initial file | Signature Results: Dridex dropper behavior |
Source: Yara match | File source: 00000003.00000002.913495696.00000000728A1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.912730818.00000000728A1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 3.2.rundll32.exe.728a0000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.728a0000.3.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe | Process Stats: CPU usage > 98% |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728B2790 NtAllocateVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728B218C NtDelayExecution, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728ABC00 NtClose, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728B07CC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728A1494 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728B92DC |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728B14D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728A84E4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728AA5A4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728A9144 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 144 |
Source: CTkT1fRtQv.dll | Binary or memory string: OriginalFilenameANSI32.dll0 vs CTkT1fRtQv.dll |
Source: CTkT1fRtQv.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: CTkT1fRtQv.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7024 |
Source: C:\Windows\SysWOW64\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8DD.tmp | Jump to behavior |
Source: CTkT1fRtQv.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',ReadLogRecord |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 144 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',ReadLogRecord |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1 |
Source: CTkT1fRtQv.dll | Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: CTkT1fRtQv.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: opengl32.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.736445673.0000000005135000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.736408490.0000000005132000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: wgdi32full.pdbk source: WerFault.exe, 00000007.00000003.736445673.0000000005135000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.725254393.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.800213949.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: glu32.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.725254393.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.800213949.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000007.00000002.744696261.00000000009A2000.00000004.00000010.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.736445673.0000000005135000.00000004.00000040.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: fffp4.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp, CTkT1fRtQv.dll |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.736439956.0000000005130000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32.pdbk source: WerFault.exe, 00000007.00000003.736445673.0000000005135000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.731326063.0000000002FA8000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.736408490.0000000005132000.00000004.00000040.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.736415453.0000000005138000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.731326063.0000000002FA8000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.736408490.0000000005132000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.736439956.0000000005130000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.731124198.0000000002FA2000.00000004.00000001.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.736402143.0000000005161000.00000004.00000001.sdmp |
Source: | Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000007.00000003.736408490.0000000005132000.00000004.00000040.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.736439956.0000000005130000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.732014556.0000000002F9C000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728AF744 push esi; mov dword ptr [esp], 00000000h |
Source: initial sample | Static PE information: section name: .text entropy: 7.55877156847 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: OutputDebugStringW count: 833 |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: \KnownDlls32\testapp.exe |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\testapp.exe |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\testapp.exe |
Source: C:\Windows\SysWOW64\rundll32.exe | Window / User API: threadDelayed 524 |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728B07CC GetTokenInformation,GetSystemInfo,GetTokenInformation, |
Source: C:\Windows\System32\loaddll32.exe | Thread delayed: delay time: 120000 |
Source: WerFault.exe, 00000007.00000002.745448196.0000000004E80000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 00000007.00000002.745448196.0000000004E80000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 00000007.00000002.745448196.0000000004E80000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 00000007.00000002.745448196.0000000004E80000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728A6DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728B3060 RtlAddVectoredExceptionHandler, |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\CTkT1fRtQv.dll',#1 |
Source: rundll32.exe, 00000003.00000002.913329962.0000000002FE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.912044379.00000000038C0000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: rundll32.exe, 00000003.00000002.913329962.0000000002FE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.912044379.00000000038C0000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: rundll32.exe, 00000003.00000002.913329962.0000000002FE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.912044379.00000000038C0000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: rundll32.exe, 00000003.00000002.913329962.0000000002FE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.912044379.00000000038C0000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 3_2_728A6DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.