Source: 5.2.rundll32.exe.73320000.3.unpack |
Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]} |
Source: 2.2.rundll32.exe.25d0000.2.unpack |
Avira: Label: TR/ATRAPS.Gen2 |
Source: 0.2.loaddll32.exe.ec0000.1.unpack |
Avira: Label: TR/ATRAPS.Gen2 |
Source: 5.2.rundll32.exe.23d0000.2.unpack |
Avira: Label: TR/ATRAPS.Gen2 |
Source: u3A1eWFqLE.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: u3A1eWFqLE.dll |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: opengl32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: opengl32.pdbY source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp |
Source: |
Binary string: glu32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.542068835.000000000104B000.00000004.00000001.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.553395034.0000000000C92000.00000004.00000010.sdmp |
Source: |
Binary string: msvcrt.pdbG source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: fffp4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp, u3A1eWFqLE.dll |
Source: |
Binary string: advapi32.pdbK source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: Malware configuration extractor |
IPs: 94.247.168.64:443 |
Source: Malware configuration extractor |
IPs: 159.203.93.122:8172 |
Source: Malware configuration extractor |
IPs: 50.116.27.97:2303 |
Source: Joe Sandbox View |
IP Address: 159.203.93.122 159.203.93.122 |
Source: Joe Sandbox View |
IP Address: 50.116.27.97 50.116.27.97 |
Source: Joe Sandbox View |
IP Address: 94.247.168.64 94.247.168.64 |
Source: Joe Sandbox View |
ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS |
Source: Joe Sandbox View |
ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS |
Source: Joe Sandbox View |
ASN Name: GLESYS-ASSE GLESYS-ASSE |
Source: u3A1eWFqLE.dll |
String found in binary or memory: http://ansicon.adoxa.vze.com/6 |
Source: loaddll32.exe, 00000000.00000002.558625849.0000000000B6B000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Initial file |
Signature Results: Dridex dropper behavior |
|
Source: Yara match |
File source: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000005.00000002.620248864.0000000073321000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.rundll32.exe.73320000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 5.2.rundll32.exe.73320000.3.unpack, type: UNPACKEDPE |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process Stats: CPU usage > 98% |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_73332790 NtAllocateVirtualMemory, |
2_2_73332790 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_7333218C NtDelayExecution, |
2_2_7333218C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_7332BC00 NtClose, |
2_2_7332BC00 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_733307CC |
2_2_733307CC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_73321494 |
2_2_73321494 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_733392DC |
2_2_733392DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_73329144 |
2_2_73329144 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_7332A5A4 |
2_2_7332A5A4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_733284E4 |
2_2_733284E4 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_733314D8 |
2_2_733314D8 |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 412 |
Source: u3A1eWFqLE.dll |
Binary or memory string: OriginalFilenameANSI32.dll0 vs u3A1eWFqLE.dll |
Source: u3A1eWFqLE.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: u3A1eWFqLE.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5340 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3493.tmp |
Jump to behavior |
Source: u3A1eWFqLE.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 412 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 |
Jump to behavior |
Source: u3A1eWFqLE.dll |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: u3A1eWFqLE.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: opengl32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: opengl32.pdbY source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp |
Source: |
Binary string: glu32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.542068835.000000000104B000.00000004.00000001.sdmp |
Source: |
Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.553395034.0000000000C92000.00000004.00000010.sdmp |
Source: |
Binary string: msvcrt.pdbG source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: fffp4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp, u3A1eWFqLE.dll |
Source: |
Binary string: advapi32.pdbK source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp |
Source: |
Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_7332F744 push esi; mov dword ptr [esp], 00000000h |
2_2_7332F745 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.55877156847 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Section loaded: OutputDebugStringW count: 2098 |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: \KnownDlls32\testapp.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Section loaded: \KnownDlls32\testapp.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Section loaded: \KnownDlls32\testapp.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Window / User API: threadDelayed 1173 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Window / User API: threadDelayed 924 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_733307CC GetTokenInformation,GetSystemInfo,GetTokenInformation, |
2_2_733307CC |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_73326DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_73326DC8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_73333060 RtlAddVectoredExceptionHandler, |
2_2_73333060 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 |
Jump to behavior |
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp |
Binary or memory string: SProgram Managerl |
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd, |
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_73326DC8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_73326DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_73326DC8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |