{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}
Source: 13.2.rundll32.exe.6e8b0000.2.unpack | Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]} |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Virustotal: Detection: 20% | Perma Link |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | ReversingLabs: Detection: 28% |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Joe Sandbox ML: detected |
Source: 12.0.rundll32.exe.3220000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 12.2.rundll32.exe.4d34756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 9.2.rundll32.exe.33a0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 13.0.rundll32.exe.3b0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 3.0.rundll32.exe.2f80000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 4.2.rundll32.exe.29a0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 3.0.rundll32.exe.4a04756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 4.2.rundll32.exe.4484756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 11.0.rundll32.exe.2990000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 11.0.rundll32.exe.47f4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 14.0.rundll32.exe.4884756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 11.0.rundll32.exe.2990000.3.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 13.2.rundll32.exe.3b0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 1.2.loaddll32.exe.ce4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 12.2.rundll32.exe.3220000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 13.2.rundll32.exe.29f4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 12.0.rundll32.exe.4d34756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 3.0.rundll32.exe.2f80000.3.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 11.2.rundll32.exe.2990000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 1.2.loaddll32.exe.7b0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 14.0.rundll32.exe.2d60000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 11.2.rundll32.exe.47f4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 13.0.rundll32.exe.29f4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 9.2.rundll32.exe.36a4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 3.0.rundll32.exe.4a04756.4.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 11.0.rundll32.exe.47f4756.4.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp |
Source: Malware configuration extractor | IPs: 149.202.179.100:443 |
Source: Malware configuration extractor | IPs: 66.147.235.11:6891 |
Source: Malware configuration extractor | IPs: 81.0.236.89:13786 |
Source: Joe Sandbox View | ASN Name: HOSTROCKETUS HOSTROCKETUS |
Source: Joe Sandbox View | ASN Name: OVHFR OVHFR |
Source: Joe Sandbox View | IP Address: 66.147.235.11 66.147.235.11 |
Source: Joe Sandbox View | IP Address: 149.202.179.100 149.202.179.100 |
Source: rundll32.exe, 00000003.00000000.423532537.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.784764544.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.698207139.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.723020912.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.753729339.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.713332446.000000006E8CF000.00000002.00020000.sdmp | String found in binary or memory: http://www.vomfass.deDVarFileInfo$ |
Source: Yara match | File source: 9.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 13.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.0.rundll32.exe.6e8b0000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 14.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 13.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0000000C.00000000.680670011.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000D.00000000.682183733.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.719392684.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.753337263.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000D.00000002.749868846.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000000.423290755.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000000.698176529.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.780387984.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000000.676132737.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000000.701129229.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Joe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: Dridex | Perma Link |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E8B1494 | 1_2_6E8B1494 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C0754 | 4_2_6E8C0754 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C9348 | 4_2_6E8C9348 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8B1494 | 4_2_6E8B1494 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8B846C | 4_2_6E8B846C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C1460 | 4_2_6E8C1460 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8BA52C | 4_2_6E8BA52C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C1D58 | 4_2_6E8C1D58 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C223C NtDelayExecution, | 4_2_6E8C223C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C2840 NtAllocateVirtualMemory, | 4_2_6E8C2840 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8BBB88 NtClose, | 4_2_6E8BBB88 |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Virustotal: Detection: 20% |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | ReversingLabs: Detection: 28% |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile | |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 | |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652 | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6296 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7144 |
Source: classification engine | Classification label: mal84.troj.evad.winDLL@23/6@0/3 |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Static file information: File size 1093632 > 1048576 |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8BF6CC push esi; mov dword ptr [esp], 00000000h | 4_2_6E8BF6CD |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Section loaded: OutputDebugStringW count: 389 |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C0754 GetTokenInformation,GetSystemInfo,GetTokenInformation, | 4_2_6E8C0754 |
Source: WERE0CF.tmp.xml.21.dr | Binary or memory string: <arg nm="syspro" val="VMware7,1" /> |
Source: WERDF95.tmp.WERInternalMetadata.xml.21.dr | Binary or memory string: <SystemManufacturer>VMware, Inc.</SystemManufacturer> |
Source: WERDF95.tmp.WERInternalMetadata.xml.21.dr | Binary or memory string: <SystemProductName>VMware7,1</SystemProductName> |
Source: WERE0CF.tmp.xml.21.dr | Binary or memory string: <arg nm="sysmfg" val="VMware, Inc." /> |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8B6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, | 4_2_6E8B6D50 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C3110 RtlAddVectoredExceptionHandler, | 4_2_6E8C3110 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652 | Jump to behavior |
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, | 4_2_6E8B6D50 |
Source: C:\Windows\SysWOW64\rundll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8B6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, | 4_2_6E8B6D50 |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.