{"Version": 22201, "C2 list": ["78.46.73.125:443", "185.148.168.26:2303", "66.113.160.126:8172"]}
Source: 0.2.loaddll32.exe.10000000.2.unpack | Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["78.46.73.125:443", "185.148.168.26:2303", "66.113.160.126:8172"]} |
Source: 4.2.rundll32.exe.2540000.2.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 3.2.rundll32.exe.2b20000.2.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 10.2.rundll32.exe.2f50000.2.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 0.2.loaddll32.exe.870000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: ed6aa63a_by_Libranalysis.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: ed6aa63a_by_Libranalysis.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.693392606.0000000005184000.00000004.00000001.sdmp |
Source: | Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.454437973.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: }KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 0000000B.00000002.608501083.00000000007D2000.00000004.00000001.sdmp |
Source: | Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: FTBUP.pdb source: rundll32.exe, 0000000C.00000002.619356232.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.648756998.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662788531.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.655611713.0000000010025000.00000002.00020000.sdmp, ed6aa63a_by_Libranalysis.dll |
Source: | Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.454437973.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000011.00000002.616516704.0000000000D72000.00000004.00000001.sdmp |
Source: | Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: KERNEL32C:\Windows\System32\KERNEL32.DLLC:\Windows\System32\KERNEL32.DLLRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.608501083.00000000007D2000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.616516704.0000000000D72000.00000004.00000001.sdmp |
Source: Malware configuration extractor | IPs: 78.46.73.125:443 |
Source: Malware configuration extractor | IPs: 185.148.168.26:2303 |
Source: Malware configuration extractor | IPs: 66.113.160.126:8172 |
Source: Joe Sandbox View | ASN Name: HETZNER-ASDE HETZNER-ASDE |
Source: Joe Sandbox View | ASN Name: EVERSCALE-ASDE EVERSCALE-ASDE |
Source: Joe Sandbox View | ASN Name: HOSTWAYUS HOSTWAYUS |
Source: rundll32.exe, 0000000C.00000002.619371426.000000001002C000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.648781863.000000001002C000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.664880240.000000001002C000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.657864001.000000001002C000.00000002.00020000.sdmp, ed6aa63a_by_Libranalysis.dll | String found in binary or memory: http://ansicon.adoxa.vze.com/6 |
Source: Yara match | File source: 00000004.00000002.667101495.0000000010001000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000A.00000002.678218398.0000000010001000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.648546988.0000000010001000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10011460 | 0_2_10011460 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_1000846C | 0_2_1000846C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10001494 | 0_2_10001494 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_1000A52C | 0_2_1000A52C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10011D58 | 0_2_10011D58 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10019348 | 0_2_10019348 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10010754 | 0_2_10010754 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_100090CC | 0_2_100090CC |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 944 |
Source: ed6aa63a_by_Libranalysis.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: ed6aa63a_by_Libranalysis.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6484 |
Source: ed6aa63a_by_Libranalysis.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll,RtplDtpmimr67 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll,RtplDtpmimr67 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsAddRef | |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 944 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsVarRelease | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsStartProfiling | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsIdle | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsCreateArray | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 596 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll,RtplDtpmimr67 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsAddRef | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsVarRelease | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsStartProfiling | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsIdle | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',JsCreateArray | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ed6aa63a_by_Libranalysis.dll',#1 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: ed6aa63a_by_Libranalysis.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.693392606.0000000005184000.00000004.00000001.sdmp |
Source: | Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.454437973.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: }KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 0000000B.00000002.608501083.00000000007D2000.00000004.00000001.sdmp |
Source: | Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: FTBUP.pdb source: rundll32.exe, 0000000C.00000002.619356232.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.648756998.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.662788531.0000000010025000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.655611713.0000000010025000.00000002.00020000.sdmp, ed6aa63a_by_Libranalysis.dll |
Source: | Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.454437973.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000011.00000002.616516704.0000000000D72000.00000004.00000001.sdmp |
Source: | Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000002.689138468.0000000005472000.00000004.00000040.sdmp |
Source: | Binary string: combase.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000002.689126217.0000000005470000.00000004.00000040.sdmp |
Source: | Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000002.689149107.0000000005478000.00000004.00000040.sdmp |
Source: | Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000002.688695770.0000000005101000.00000004.00000001.sdmp |
Source: | Binary string: KERNEL32C:\Windows\System32\KERNEL32.DLLC:\Windows\System32\KERNEL32.DLLRSDSwkernel32.pdb source: WerFault.exe, 0000000B.00000002.608501083.00000000007D2000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.616516704.0000000000D72000.00000004.00000001.sdmp |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_1000F6CC push esi; mov dword ptr [esp], 00000000h | 0_2_1000F6CD |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_02713730 pushfd ; retf 0076h | 4_2_02713732 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 12_2_1000508E push ecx; iretd | 12_2_1000508F |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 12_2_100070D5 push ebp; ret | 12_2_100070D6 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 12_2_10006212 push ebp; iretd | 12_2_10006215 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 12_2_10002E4C pushfd ; retf | 12_2_10002E62 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 12_2_10007340 pushfd ; retf | 12_2_10007344 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 12_2_10007351 pushfd ; iretd | 12_2_1000735D |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 12_2_10002BC2 push eax; ret | 12_2_10002BC4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 12_2_10007BFD pushfd ; iretd | 12_2_10007BFE |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: \KnownDlls32\Testapp.EXE | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\Testapp.EXE | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\Testapp.EXE | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\Testapp.EXE | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\Testapp.EXE | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\Testapp.EXE | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\Testapp.EXE | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: \KnownDlls32\Testapp.EXE | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: WerFault.exe, 0000000B.00000002.688371233.0000000004E70000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 0000000B.00000002.688371233.0000000004E70000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 0000000B.00000002.688371233.0000000004E70000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 0000000B.00000002.688371233.0000000004E70000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, | 0_2_10006D50 |
Source: loaddll32.exe, 00000000.00000002.646263571.0000000000F30000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.681703669.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.646585353.0000000002B90000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.649980621.0000000003600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.646988818.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.619286869.0000000002E50000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.648668639.0000000003960000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.642836703.0000000002D70000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.653425413.00000000032B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.680481021.0000000003830000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.646263571.0000000000F30000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.681703669.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.646585353.0000000002B90000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.649980621.0000000003600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.646988818.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.619286869.0000000002E50000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.648668639.0000000003960000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.642836703.0000000002D70000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.653425413.00000000032B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.680481021.0000000003830000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.646263571.0000000000F30000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.681703669.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.646585353.0000000002B90000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.649980621.0000000003600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.646988818.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.619286869.0000000002E50000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.648668639.0000000003960000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.642836703.0000000002D70000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.653425413.00000000032B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.680481021.0000000003830000.00000002.00000001.sdmp | Binary or memory string: &Program Manager |
Source: loaddll32.exe, 00000000.00000002.646263571.0000000000F30000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.681703669.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.646585353.0000000002B90000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.649980621.0000000003600000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.646988818.0000000003320000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.619286869.0000000002E50000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.648668639.0000000003960000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.642836703.0000000002D70000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.653425413.00000000032B0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.680481021.0000000003830000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, | 0_2_10006D50 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, | 0_2_10006D50 |