Analysis Report ghost.dll

Compliance:

Uses 32bit PE files

Source: ghost.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ghost.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: winspool.pdbG source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: vcruntime140.i386.pdb;> source: WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.372587886.0000000004D22000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.380680880.0000000000708000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390117912.0000000000987000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390081936.0000000000981000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdbw source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\ghost.pdbction source: rundll32.exe, 0000000F.00000002.434619782.000000000337A000.00000004.00000020.sdmp
Source:	Binary string: (P^lHC:\Users\user\Desktop\ghost.pdb2 source: rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: C:\Users\Andre\Documents\Visual Studio 2015\Projects\ghost\Release\ghost.pdb source: rundll32.exe, 00000002.00000002.332564130.000000000516A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.333642812.00000000049CA000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.390709241.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.347865671.000000000456A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.356017758.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.364210056.000000000462A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000002.450127060.00000000071FA000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.393607696.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 00000016.00000002.455781535.000000000482A000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.388822904.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.389741243.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.396291858.000000000709A000.00000002.00020000.sdmp, ghost.dll
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000A.00000003.354767041.0000000000823000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382640588.00000000052D3000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395596427.0000000004BC3000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412466766.0000000004EE3000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\ghost.pdbulOd source: rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp
Source:	Binary string: profapi.pdb? source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb/ source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb` source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.391502921.000000000098D000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp, WERF9A6.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\ghost.pdbdb source: rundll32.exe, 0000000F.00000002.434619782.000000000337A000.00000004.00000020.sdmp
Source:	Binary string: msvcp140.i386.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbM source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: sers\Andre\Documents\Visual Studio 2015\Projects\ghost\Release\ghost.pdb source: rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp
Source:	Binary string: advapi32.pdb# source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb9 source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382941849.00000000052C4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395863976.0000000004BB4000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbU source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: symbols\dll\ghost.pdb source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp, rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp, rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: ilC:\Users\user\Desktop\ghost.pdb source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp, rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp, rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: dwmapi.pdb` source: WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERF9A6.tmp.dmp.27.dr
Source:	Binary string: eer\Desktop\ghost.PDB source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp, rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp, rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbA source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbooC source: WerFault.exe, 00000014.00000003.395560310.0000000004A92000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000A.00000003.354042774.0000000004D90000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.381527765.0000000005450000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.393879888.0000000000AE0000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.410649898.0000000005080000.00000004.00000001.sdmp
Source:	Binary string: l.pdb source: rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp
Source:	Binary string: (P^l,C:\Windows\ghost.pdb source: rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp, rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: dwmapi.pdb5~q source: WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000A.00000003.354758786.0000000004B92000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.381527765.0000000005450000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395560310.0000000004A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412451483.0000000004DE2000.00000004.00000001.sdmp, WERF9A6.tmp.dmp.27.dr
Source:	Binary string: imagehlp.pdb} source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbi source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382941849.00000000052C4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbc source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.380680880.0000000000708000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390117912.0000000000987000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: ghost.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp, WERF9A6.tmp.dmp.27.dr
Source:	Binary string: combase.pdbA source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb{ source: WerFault.exe, 00000011.00000003.382640588.00000000052D3000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdboor source: WerFault.exe, 0000000A.00000003.354758786.0000000004B92000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb| source: WERD778.tmp.dmp.17.dr
Source:	Binary string: shlwapi.pdb7 source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000A.00000003.354042774.0000000004D90000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.381527765.0000000005450000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.393879888.0000000000AE0000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.410649898.0000000005080000.00000004.00000001.sdmp
Source:	Binary string: _(P^l,C:\Windows\ghost.pdb source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp
Source:	Binary string: version.pdb[~ source: WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382941849.00000000052C4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395863976.0000000004BB4000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdboo source: WerFault.exe, 0000001B.00000003.412451483.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\ghost.pdbpdbost.pdb source: rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp
Source:	Binary string: oleaut32.pdb3 source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: (P^lHC:\Users\user\Desktop\ghost.pdb27 source: rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: (P^lHC:\Users\user\Desktop\ghost.pdb2[ source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdbf source: WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb` source: WERA77E.tmp.dmp.10.dr
Source:	Binary string: iphlpapi.pdb[ source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbf source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb+ source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbp source: WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382640588.00000000052D3000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb% source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbp source: WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.381543825.0000000000702000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390081936.0000000000981000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbU source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbK source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbi source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382941849.00000000052C4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdb9~} source: WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb9 source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Andre\Documents\Visual Studio 2015\Projects\ghost\Release\ghost.pdb%% source: rundll32.exe, 00000002.00000002.332564130.000000000516A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.333642812.00000000049CA000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.390709241.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.347865671.000000000456A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.356017758.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.364210056.000000000462A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000002.450127060.00000000071FA000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.393607696.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 00000016.00000002.455781535.000000000482A000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.388822904.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.389741243.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.396291858.000000000709A000.00000002.00020000.sdmp, ghost.dll
Source:	Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: vcruntime140.i386.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbO3 source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb86 source: WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\ghost.pdbd source: rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.381309008.000000000070E000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.391502921.000000000098D000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbo source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb% source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbS source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbM source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb_ source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp

Networking:

Urls found in memory or binary data

Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000A.00000003.353479613.0000000004E10000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.379994838.00000000054D0000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.391702222.0000000004D30000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.409135731.0000000005100000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04278DA2		5_2_04278DA2
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 27_2_008D1B0D		27_2_008D1B0D
Source: C:\Windows\SysWOW64\WerFault.exe	Code function: 27_2_008CAFE7		27_2_008CAFE7

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 1028

PE file contains strange resources

Source: ghost.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ghost.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: ghost.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Classification label

Source: classification engine

Classification label: clean6.winDLL@33/17@0/1

Creates files inside the user directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7112
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7056
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6828
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6664

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA77E.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: ghost.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?addZombie@ghostlib@@YAXU_clientData@1@@Z

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ghost.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ghost.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?addZombie@ghostlib@@YAXU_clientData@1@@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?deleteZombie@ghostlib@@YAXH@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 1028
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?getZombieCount@ghostlib@@YAHXZ
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?getZombieData@ghostlib@@YAAAU_clientData@1@H@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?getZombieIndex@ghostlib@@YAHI@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?parseZombie@ghostlib@@YAXIHPAD@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 1028
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?updateZombieConnection@ghostlib@@YAXHI@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 1028
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?addZombie@ghostlib@@YAXU_clientData@1@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?deleteZombie@ghostlib@@YAXH@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?getZombieCount@ghostlib@@YAHXZ
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?getZombieData@ghostlib@@YAAAU_clientData@1@H@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?getZombieIndex@ghostlib@@YAHI@Z
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1028
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ghost.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?addZombie@ghostlib@@YAXU_clientData@1@@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?deleteZombie@ghostlib@@YAXH@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?getZombieCount@ghostlib@@YAHXZ			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?getZombieData@ghostlib@@YAAAU_clientData@1@H@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?getZombieIndex@ghostlib@@YAHI@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?parseZombie@ghostlib@@YAXIHPAD@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ghost.dll,?updateZombieConnection@ghostlib@@YAXHI@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?addZombie@ghostlib@@YAXU_clientData@1@@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?deleteZombie@ghostlib@@YAXH@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?getZombieCount@ghostlib@@YAHXZ			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?getZombieData@ghostlib@@YAAAU_clientData@1@H@Z			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',?getZombieIndex@ghostlib@@YAHI@Z			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',#1			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: ghost.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

PE file contains a mix of data directories often seen in goodware

Source: ghost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ghost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ghost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ghost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ghost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ghost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ghost.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: ghost.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: winspool.pdbG source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: vcruntime140.i386.pdb;> source: WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.372587886.0000000004D22000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.380680880.0000000000708000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390117912.0000000000987000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390081936.0000000000981000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdbw source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\ghost.pdbction source: rundll32.exe, 0000000F.00000002.434619782.000000000337A000.00000004.00000020.sdmp
Source:	Binary string: (P^lHC:\Users\user\Desktop\ghost.pdb2 source: rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: C:\Users\Andre\Documents\Visual Studio 2015\Projects\ghost\Release\ghost.pdb source: rundll32.exe, 00000002.00000002.332564130.000000000516A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.333642812.00000000049CA000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.390709241.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.347865671.000000000456A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.356017758.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.364210056.000000000462A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000002.450127060.00000000071FA000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.393607696.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 00000016.00000002.455781535.000000000482A000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.388822904.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.389741243.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.396291858.000000000709A000.00000002.00020000.sdmp, ghost.dll
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000A.00000003.354767041.0000000000823000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382640588.00000000052D3000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395596427.0000000004BC3000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412466766.0000000004EE3000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\ghost.pdbulOd source: rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp
Source:	Binary string: profapi.pdb? source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb/ source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb` source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.391502921.000000000098D000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp, WERF9A6.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\ghost.pdbdb source: rundll32.exe, 0000000F.00000002.434619782.000000000337A000.00000004.00000020.sdmp
Source:	Binary string: msvcp140.i386.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbM source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: sers\Andre\Documents\Visual Studio 2015\Projects\ghost\Release\ghost.pdb source: rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp
Source:	Binary string: advapi32.pdb# source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb9 source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382941849.00000000052C4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395863976.0000000004BB4000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbU source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: symbols\dll\ghost.pdb source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp, rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp, rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: ilC:\Users\user\Desktop\ghost.pdb source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp, rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp, rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: dwmapi.pdb` source: WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERF9A6.tmp.dmp.27.dr
Source:	Binary string: eer\Desktop\ghost.PDB source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp, rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp, rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbA source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbooC source: WerFault.exe, 00000014.00000003.395560310.0000000004A92000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000A.00000003.354042774.0000000004D90000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.381527765.0000000005450000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.393879888.0000000000AE0000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.410649898.0000000005080000.00000004.00000001.sdmp
Source:	Binary string: l.pdb source: rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp
Source:	Binary string: (P^l,C:\Windows\ghost.pdb source: rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp, rundll32.exe, 00000012.00000002.440633427.0000000002D6A000.00000004.00000010.sdmp, rundll32.exe, 00000016.00000002.451872776.000000000089A000.00000004.00000010.sdmp
Source:	Binary string: dwmapi.pdb5~q source: WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000A.00000003.354758786.0000000004B92000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.381527765.0000000005450000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395560310.0000000004A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412451483.0000000004DE2000.00000004.00000001.sdmp, WERF9A6.tmp.dmp.27.dr
Source:	Binary string: imagehlp.pdb} source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbi source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382941849.00000000052C4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbc source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000014.00000003.380680880.0000000000708000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390117912.0000000000987000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: ghost.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp, WERF9A6.tmp.dmp.27.dr
Source:	Binary string: combase.pdbA source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb{ source: WerFault.exe, 00000011.00000003.382640588.00000000052D3000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdboor source: WerFault.exe, 0000000A.00000003.354758786.0000000004B92000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb| source: WERD778.tmp.dmp.17.dr
Source:	Binary string: shlwapi.pdb7 source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000A.00000003.354042774.0000000004D90000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.381527765.0000000005450000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.393879888.0000000000AE0000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.410649898.0000000005080000.00000004.00000001.sdmp
Source:	Binary string: _(P^l,C:\Windows\ghost.pdb source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp
Source:	Binary string: version.pdb[~ source: WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382941849.00000000052C4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395863976.0000000004BB4000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdboo source: WerFault.exe, 0000001B.00000003.412451483.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\ghost.pdbpdbost.pdb source: rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp
Source:	Binary string: oleaut32.pdb3 source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: (P^lHC:\Users\user\Desktop\ghost.pdb27 source: rundll32.exe, 0000000F.00000002.432847249.0000000002DCB000.00000004.00000010.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: (P^lHC:\Users\user\Desktop\ghost.pdb2[ source: rundll32.exe, 00000005.00000002.379483946.000000000014A000.00000004.00000010.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382722138.00000000052C1000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdbf source: WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb` source: WERA77E.tmp.dmp.10.dr
Source:	Binary string: iphlpapi.pdb[ source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbf source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb+ source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbp source: WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382640588.00000000052D3000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb% source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbp source: WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000014.00000003.381543825.0000000000702000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.390081936.0000000000981000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbU source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbK source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbi source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000A.00000003.354778188.0000000000811000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382941849.00000000052C4000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395643772.0000000004BB1000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412481857.0000000004ED1000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdb9~} source: WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb9 source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Andre\Documents\Visual Studio 2015\Projects\ghost\Release\ghost.pdb%% source: rundll32.exe, 00000002.00000002.332564130.000000000516A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.333642812.00000000049CA000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.390709241.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000002.347865671.000000000456A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.356017758.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.364210056.000000000462A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp, rundll32.exe, 00000012.00000002.450127060.00000000071FA000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.393607696.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 00000016.00000002.455781535.000000000482A000.00000002.00020000.sdmp, rundll32.exe, 00000017.00000002.388822904.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.389741243.000000007364A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.396291858.000000000709A000.00000002.00020000.sdmp, ghost.dll
Source:	Binary string: version.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412527960.0000000004EE2000.00000004.00000040.sdmp
Source:	Binary string: vcruntime140.i386.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbO3 source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb86 source: WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\ghost.pdbd source: rundll32.exe, 0000000F.00000002.434760041.00000000033B3000.00000004.00000020.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.354826015.0000000000810000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382918143.00000000052C0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395823309.0000000004BB0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412618555.0000000004ED0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000014.00000003.381309008.000000000070E000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.391502921.000000000098D000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbo source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb% source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.395939381.0000000004BB7000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.412501777.0000000004ED7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbS source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.354751213.0000000004B81000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.382574019.00000000051A1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.395521425.0000000004A81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.412428526.0000000004DD1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdbM source: WerFault.exe, 00000011.00000003.382960272.00000000052C7000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb_ source: WerFault.exe, 0000000A.00000003.354839656.0000000000817000.00000004.00000040.sdmp

PE file contains a valid data directory to section mapping

Source: ghost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ghost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ghost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ghost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ghost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_05167D46 push ecx; ret		2_2_05167D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73647D46 push ecx; ret		2_2_73647D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_051003F9 push E801005Eh; retf		2_2_05100401
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_049C7D46 push ecx; ret		3_2_049C7D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_042F7D46 push ecx; ret		5_2_042F7D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04271974 push ss; retf		5_2_0427196E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04272974 push es; retf		5_2_0427296E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_04272954 push es; retf		5_2_0427294E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_042729D4 push es; retf		5_2_042729CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04567D46 push ecx; ret		11_2_04567D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_06AE7D46 push ecx; ret		12_2_06AE7D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04627D46 push ecx; ret		13_2_04627D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F77D46 push ecx; ret		15_2_04F77D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F32040 push edx; mov dword ptr [esp], C604C17Fh		15_2_04F3208A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F31ED0 push edx; mov dword ptr [esp], 5504C181h		15_2_04F31EDA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_071F7D46 push ecx; ret		18_2_071F7D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_07407D46 push ecx; ret		21_2_07407D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04827D46 push ecx; ret		22_2_04827D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_04B07D46 push ecx; ret		23_2_04B07D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_072B7D46 push ecx; ret		24_2_072B7D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D11C03 push eax; iretd		24_2_04D11C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D11C07 push eax; iretd		24_2_04D11C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D11ED0 push edx; iretd		24_2_04D11ED2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D11F61 push edx; iretd		24_2_04D11F62
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D11F19 push edx; iretd		24_2_04D11F1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D120C3 push edx; iretd		24_2_04D120CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D120CB push edx; iretd		24_2_04D120AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D120CB push ebx; iretd		24_2_04D120E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D120E3 push ebx; iretd		24_2_04D120EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D120EB push edx; iretd		24_2_04D120C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_04D12081 push edx; iretd		24_2_04D12082

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 4.0 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 7.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 7.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 7.5 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 7.5 %

Contains medium sleeps (>= 30s)

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: WerFault.exe, 0000000A.00000002.378040719.0000000004785000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWu
Source: WerFault.exe, 00000014.00000002.437606533.0000000004673000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWx
Source: WerFault.exe, 0000000A.00000002.378125688.0000000004980000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.428452241.0000000005350000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.437694373.0000000004880000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.450419098.0000000004B40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000A.00000002.378031651.0000000004780000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.426490194.0000000004D2F000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.437481837.00000000045A0000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.450160944.0000000004861000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000A.00000002.378125688.0000000004980000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.428452241.0000000005350000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.437694373.0000000004880000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.450419098.0000000004B40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000A.00000002.378125688.0000000004980000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.428452241.0000000005350000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.437694373.0000000004880000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.450419098.0000000004B40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000001B.00000002.450251390.0000000004924000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000A.00000002.378125688.0000000004980000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.428452241.0000000005350000.00000002.00000001.sdmp, WerFault.exe, 00000014.00000002.437694373.0000000004880000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.450419098.0000000004B40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: WerFault.exe, 00000014.00000002.437667323.000000000469A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWd

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_05167AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_05167AB4

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_05167C49 SetUnhandledExceptionFilter,		2_2_05167C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_05167F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_05167F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_05167AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_05167AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73647F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_73647F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73647AB4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_73647AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73647C49 SetUnhandledExceptionFilter,		2_2_73647C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_049C7C49 SetUnhandledExceptionFilter,		3_2_049C7C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_049C7AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_049C7AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_049C7F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_049C7F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_042F7C49 SetUnhandledExceptionFilter,		5_2_042F7C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_042F7AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		5_2_042F7AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_042F7F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		5_2_042F7F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04567C49 SetUnhandledExceptionFilter,		11_2_04567C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04567AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		11_2_04567AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_04567F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		11_2_04567F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_06AE7AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		12_2_06AE7AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_06AE7F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		12_2_06AE7F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_06AE7C49 SetUnhandledExceptionFilter,		12_2_06AE7C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04627C49 SetUnhandledExceptionFilter,		13_2_04627C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04627AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_04627AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_04627F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_04627F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F77C49 SetUnhandledExceptionFilter,		15_2_04F77C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F77AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		15_2_04F77AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F77F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_04F77F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_071F7F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		18_2_071F7F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_071F7AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		18_2_071F7AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_071F7C49 SetUnhandledExceptionFilter,		18_2_071F7C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_07407F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		21_2_07407F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_07407AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		21_2_07407AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_07407C49 SetUnhandledExceptionFilter,		21_2_07407C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04827C49 SetUnhandledExceptionFilter,		22_2_04827C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04827AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		22_2_04827AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 22_2_04827F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		22_2_04827F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_04B07C49 SetUnhandledExceptionFilter,		23_2_04B07C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_04B07AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		23_2_04B07AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_04B07F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		23_2_04B07F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_072B7F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		24_2_072B7F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_072B7AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		24_2_072B7AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_072B7C49 SetUnhandledExceptionFilter,		24_2_072B7C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_07097F54 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		26_2_07097F54
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_07097AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		26_2_07097AB4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_07097C49 SetUnhandledExceptionFilter,		26_2_07097C49

Creates guard pages, often used to prevent reverse usering and debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ghost.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_05167D83 cpuid

2_2_05167D83

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\Desktop\ghost.dll VolumeInformation

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_051679AF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_051679AF