{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}
Source: 13.2.rundll32.exe.6e8b0000.2.unpack | Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]} |
Source: 12.0.rundll32.exe.3220000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 12.2.rundll32.exe.4d34756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 9.2.rundll32.exe.33a0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 13.0.rundll32.exe.3b0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 3.0.rundll32.exe.2f80000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 4.2.rundll32.exe.29a0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 3.0.rundll32.exe.4a04756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 4.2.rundll32.exe.4484756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 11.0.rundll32.exe.2990000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 11.0.rundll32.exe.47f4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 14.0.rundll32.exe.4884756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 11.0.rundll32.exe.2990000.3.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 13.2.rundll32.exe.3b0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 1.2.loaddll32.exe.ce4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 12.2.rundll32.exe.3220000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 13.2.rundll32.exe.29f4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 12.0.rundll32.exe.4d34756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 3.0.rundll32.exe.2f80000.3.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 11.2.rundll32.exe.2990000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 1.2.loaddll32.exe.7b0000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 14.0.rundll32.exe.2d60000.0.unpack | Avira: Label: TR/ATRAPS.Gen2 |
Source: 11.2.rundll32.exe.47f4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 13.0.rundll32.exe.29f4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 9.2.rundll32.exe.36a4756.1.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 3.0.rundll32.exe.4a04756.4.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: 11.0.rundll32.exe.47f4756.4.unpack | Avira: Label: TR/Patched.Ren.Gen |
Source: | Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp |
Source: rundll32.exe, 00000003.00000000.423532537.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.784764544.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.698207139.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.723020912.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.753729339.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.713332446.000000006E8CF000.00000002.00020000.sdmp | String found in binary or memory: http://www.vomfass.deDVarFileInfo$ |
Source: Yara match | File source: 9.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 13.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 12.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.0.rundll32.exe.6e8b0000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 14.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 11.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 13.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0000000C.00000000.680670011.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000D.00000000.682183733.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000C.00000002.719392684.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.753337263.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000D.00000002.749868846.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000003.00000000.423290755.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000000.698176529.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000009.00000002.780387984.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000000.676132737.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000E.00000000.701129229.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_6E8B1494 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C0754 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C9348 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8B1494 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8B846C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C1460 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8BA52C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C1D58 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C223C NtDelayExecution, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C2840 NtAllocateVirtualMemory, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8BBB88 NtClose, |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Virustotal: Detection: 20% |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | ReversingLabs: Detection: 28% |
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6296 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7144 |
Source: | Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll |
Source: | Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Last function: Thread delayed |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8C0754 GetTokenInformation,GetSystemInfo,GetTokenInformation, |
Source: WERE0CF.tmp.xml.21.dr | Binary or memory string: <arg nm="syspro" val="VMware7,1" /> |
Source: WERDF95.tmp.WERInternalMetadata.xml.21.dr | Binary or memory string: <SystemManufacturer>VMware, Inc.</SystemManufacturer> |
Source: WERDF95.tmp.WERInternalMetadata.xml.21.dr | Binary or memory string: <SystemProductName>VMware7,1</SystemProductName> |
Source: WERE0CF.tmp.xml.21.dr | Binary or memory string: <arg nm="sysmfg" val="VMware, Inc." /> |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8B6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652 |
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Program Manager |
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_6E8B6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.