Analysis Report utility.dll

Overview

General Information

Sample Name:	utility.dll
Analysis ID:	385485
MD5:	c84fd1069470c4f7cbcd9fa10fc32615
SHA1:	94ca6af9cae336754da47e2b8694a1f33db78e89
SHA256:	59d2ed9608ac543bd671da7b17558ebce275f64dd80fc84abd10fd31dea49c5e
Infos:
Most interesting Screenshot:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002170 FileEncrypt,	4_2_10002170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002290 FileDecrypt,	4_2_10002290
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx,	4_2_10004340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001D30 Encrypt,SysAllocStringLen,	4_2_10001D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001E50 EncryptEx,	4_2_10001E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,	4_2_10003E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001EB0 DecryptEx,	4_2_10001EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001F10 Decrypt,SysAllocStringLen,	4_2_10001F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001FF0 Decrypt2BinStr,	4_2_10001FF0

Compliance:

Uses 32bit PE files

Source: utility.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: utility.dll

Static PE information: certificate valid

Source:	Binary string: profapi.pdbzl source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbt# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.657930785.0000000004E1B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.657649042.00000000050E7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbt source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb:#U source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbio source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbW6X source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbl source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbb source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.651587844.00000000032AD000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb; source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbL#j source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb-6^ source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbC source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb56f source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbf#< source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb^C source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbI source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbQ6B source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb] source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbf source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb96j source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbEo source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb#6T source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbQ source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbS source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.651866490.0000000000BB7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658090124.0000000003315000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.665733650.0000000000742000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb]B source: WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wsock32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbh source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb~# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb0#k source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbh#6 source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbL source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbN source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb! source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbV#l source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbX#f source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb= source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb3 source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb?6` source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbr# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb/ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.668506196.000000000073C000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb@ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb3oc source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb_6m source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbO source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb6z~ source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb7 source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdbr source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbJ# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb6#a source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbk source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb@# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658109078.000000000331B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbU source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbW source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp

Source: WerFault.exe, 0000000E.00000003.749476068.000000000502A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: WerFault.exe, 0000000B.00000003.676315749.00000000049D4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro(
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: WerFault.exe, 00000009.00000003.683820033.0000000004D79000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft2
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsy
Source: utility.dll	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.coA
Source: utility.dll	String found in binary or memory: http://ocsp.thawte.com0
Source: utility.dll	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: utility.dll	String found in binary or memory: http://t2.symcb.com0
Source: utility.dll	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: utility.dll	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: utility.dll	String found in binary or memory: http://tl.symcd.com0&
Source: utility.dll	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: utility.dll	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: utility.dll	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.c
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co
Source: utility.dll	String found in binary or memory: https://www.thawte.com/cps0/
Source: utility.dll	String found in binary or memory: https://www.thawte.com/repository0

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100019D0	4_2_100019D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005830	4_2_10005830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100120C0	4_2_100120C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013160	4_2_10013160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001E96D	4_2_1001E96D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100151D2	4_2_100151D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B9E0	4_2_1000B9E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011A80	4_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B390	4_2_1000B390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100143C1	4_2_100143C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009400	4_2_10009400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000BC30	4_2_1000BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011470	4_2_10011470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10018507	4_2_10018507
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014D10	4_2_10014D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015D40	4_2_10015D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015590	4_2_10015590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014610	4_2_10014610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000BE90	4_2_1000BE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B6E0	4_2_1000B6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002F80	4_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013790	4_2_10013790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010FC0	4_2_10010FC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000AFF0	4_2_1000AFF0

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 696

Uses 32bit PE files

Source: utility.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: classification engine

Classification label: clean8.winDLL@48/20@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6096
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3492
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6880
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6868

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA48.tmp

Jump to behavior

Source: utility.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\utility.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 696
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 688
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 688
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 688
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 688
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1	Jump to behavior

Source: utility.dll

Static PE information: certificate valid

Source:	Binary string: profapi.pdbzl source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbt# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.657930785.0000000004E1B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.657649042.00000000050E7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbt source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb:#U source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbio source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbW6X source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbl source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbb source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.651587844.00000000032AD000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb; source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbL#j source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb-6^ source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbC source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb56f source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbf#< source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb^C source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbI source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbQ6B source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb] source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbf source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb96j source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbEo source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb#6T source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbQ source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbS source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.651866490.0000000000BB7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658090124.0000000003315000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.665733650.0000000000742000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb]B source: WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wsock32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbh source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb~# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb0#k source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbh#6 source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbL source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbN source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb! source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbV#l source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbX#f source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb= source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb3 source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb?6` source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbr# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb/ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.668506196.000000000073C000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb@ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb3oc source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb_6m source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbO source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb6z~ source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb7 source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdbr source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbJ# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb6#a source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbk source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb@# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658109078.000000000331B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbU source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbW source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

4_2_100078C0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10016730 push eax; ret	4_2_1001675E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0090D587 push ebp; retf	23_2_0090D623
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0090BEB8 push ebp; retf	23_2_0090BF6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0090C858 push ss; retf	23_2_0090C861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0090F7E0 push ebp; retf	23_2_0090F7F7

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000CA50 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_1000CA50

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100019D0 rdtsc

4_2_100019D0

Contains functionality to query network adapater information

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: SysInfoGetAdaptersInfo,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,

4_2_10006DB0

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 1.3 %

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000009.00000002.695648862.0000000004D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWntel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-0000
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.676572054.00000000049A8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWE
Source: WerFault.exe, 00000009.00000002.695648862.0000000004D59000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.676572054.00000000049A8000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.749692159.0000000005017000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.713771261.0000000004542000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW8}&
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW,
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.713879346.000000000461D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100019D0 rdtsc

4_2_100019D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100019D0 CPUSpeed,LdrInitializeThunk,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,GetThreadPriority,SetThreadPriority,QueryPerformanceCounter,QueryPerformanceCounter,SetThreadPriority,

4_2_100019D0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

4_2_100078C0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000ABF0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,

4_2_1000ABF0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C4FB SetUnhandledExceptionFilter,		4_2_1001C4FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C50D SetUnhandledExceptionFilter,		4_2_1001C50D

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,

4_2_10003E90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1001D1A2 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

4_2_1001D1A2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10017756 GetVersion,GetCommandLineA,

4_2_10017756

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,	4_2_10004A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,	4_2_10004B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004D70 ServerIsListening,	4_2_10004D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket,	4_2_10004DE0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002170 FileEncrypt,	4_2_10002170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002290 FileDecrypt,	4_2_10002290
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx,	4_2_10004340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001D30 Encrypt,SysAllocStringLen,	4_2_10001D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001E50 EncryptEx,	4_2_10001E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,	4_2_10003E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001EB0 DecryptEx,	4_2_10001EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001F10 Decrypt,SysAllocStringLen,	4_2_10001F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001FF0 Decrypt2BinStr,	4_2_10001FF0

Compliance:

Uses 32bit PE files

Source: utility.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: utility.dll

Static PE information: certificate valid

Source:	Binary string: profapi.pdbzl source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbt# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.657930785.0000000004E1B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.657649042.00000000050E7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbt source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb:#U source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbio source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbW6X source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbl source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbb source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.651587844.00000000032AD000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb; source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbL#j source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb-6^ source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbC source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb56f source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbf#< source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb^C source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbI source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbQ6B source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb] source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbf source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb96j source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbEo source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb#6T source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbQ source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbS source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.651866490.0000000000BB7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658090124.0000000003315000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.665733650.0000000000742000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb]B source: WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wsock32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbh source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb~# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb0#k source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbh#6 source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbL source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbN source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb! source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbV#l source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbX#f source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb= source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb3 source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb?6` source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbr# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb/ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.668506196.000000000073C000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb@ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb3oc source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb_6m source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbO source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb6z~ source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb7 source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdbr source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbJ# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb6#a source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbk source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb@# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658109078.000000000331B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbU source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbW source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp

Source: WerFault.exe, 0000000E.00000003.749476068.000000000502A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: WerFault.exe, 0000000B.00000003.676315749.00000000049D4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro(
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: WerFault.exe, 00000009.00000003.683820033.0000000004D79000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft2
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsy
Source: utility.dll	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.coA
Source: utility.dll	String found in binary or memory: http://ocsp.thawte.com0
Source: utility.dll	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: utility.dll	String found in binary or memory: http://t2.symcb.com0
Source: utility.dll	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: utility.dll	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: utility.dll	String found in binary or memory: http://tl.symcd.com0&
Source: utility.dll	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: utility.dll	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: utility.dll	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.c
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co
Source: utility.dll	String found in binary or memory: https://www.thawte.com/cps0/
Source: utility.dll	String found in binary or memory: https://www.thawte.com/repository0

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100019D0	4_2_100019D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005830	4_2_10005830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100120C0	4_2_100120C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013160	4_2_10013160
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001E96D	4_2_1001E96D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100151D2	4_2_100151D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B9E0	4_2_1000B9E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011A80	4_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B390	4_2_1000B390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100143C1	4_2_100143C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009400	4_2_10009400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000BC30	4_2_1000BC30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011470	4_2_10011470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10018507	4_2_10018507
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014D10	4_2_10014D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015D40	4_2_10015D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015590	4_2_10015590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014610	4_2_10014610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000BE90	4_2_1000BE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000B6E0	4_2_1000B6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002F80	4_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10013790	4_2_10013790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010FC0	4_2_10010FC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000AFF0	4_2_1000AFF0

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 696

Uses 32bit PE files

Source: utility.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: classification engine

Classification label: clean8.winDLL@48/20@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6096
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3492
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6880
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6868

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA48.tmp

Jump to behavior

Source: utility.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\utility.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 696
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 688
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 688
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 688
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 688
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1	Jump to behavior

Source: utility.dll

Static PE information: certificate valid

Source:	Binary string: profapi.pdbzl source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbt# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.657930785.0000000004E1B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.657649042.00000000050E7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbt source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb:#U source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdbio source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbW6X source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbl source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbb source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.651587844.00000000032AD000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb; source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbL#j source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb-6^ source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbC source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb56f source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbf#< source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb^C source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbI source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbQ6B source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb] source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbf source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb96j source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbEo source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb#6T source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbQ source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbS source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.651866490.0000000000BB7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658090124.0000000003315000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.665733650.0000000000742000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb]B source: WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wsock32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbh source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb~# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb0#k source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbh#6 source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbL source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdbN source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb! source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbV#l source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbX#f source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb= source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb3 source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb?6` source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbr# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wsock32.pdb/ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.668506196.000000000073C000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb@ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb3oc source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdb_6m source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbO source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb6z~ source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb7 source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: samcli.pdbr source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbJ# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb6#a source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbk source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb@# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658109078.000000000331B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbU source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbW source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

4_2_100078C0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10016730 push eax; ret	4_2_1001675E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0090D587 push ebp; retf	23_2_0090D623
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0090BEB8 push ebp; retf	23_2_0090BF6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0090C858 push ss; retf	23_2_0090C861
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 23_2_0090F7E0 push ebp; retf	23_2_0090F7F7

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000CA50 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_1000CA50

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100019D0 rdtsc

4_2_100019D0

Contains functionality to query network adapater information

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_10006DB0

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 1.3 %

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000009.00000002.695648862.0000000004D59000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWntel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-0000
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.676572054.00000000049A8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWE
Source: WerFault.exe, 00000009.00000002.695648862.0000000004D59000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.676572054.00000000049A8000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.749692159.0000000005017000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.713771261.0000000004542000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW8}&
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW,
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.713879346.000000000461D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100019D0 rdtsc

4_2_100019D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_100019D0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

4_2_100078C0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1000ABF0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,

4_2_1000ABF0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C4FB SetUnhandledExceptionFilter,		4_2_1001C4FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001C50D SetUnhandledExceptionFilter,		4_2_1001C50D

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,

4_2_10003E90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_1001D1A2 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

4_2_1001D1A2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_10017756 GetVersion,GetCommandLineA,

4_2_10017756

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,	4_2_10004A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,	4_2_10004B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004D70 ServerIsListening,	4_2_10004D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket,	4_2_10004DE0

ID:	385485
Product:	CloudBasic
Start time:	15:26:29
Start date:	12.04.2021
Sample:	utility.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c84fd1069470c4f7cbcd9fa10fc32615
SHA1:	94ca6af9cae336754da47e2b8694a1f33db78e89
SHA256:	59d2ed9608ac543bd671da7b17558ebce275f64dd80fc84abd10fd31dea49c5e
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1a1eb18902f2cde56c230bea1f2d46b66fdcaf_82810a17_1b3ef221\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	CA7808A969BB6ECE94BE53CA5EB5815A	2282A52F119D8DCCA59EA920B602899092486B97	F14D3D718B6921058C178C26BE5564A149A64B9FB53C755E8F73BAB09328D3CB
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1a1eb18902f2cde56c230bea1f2d46b66fdcaf_82810a17_1bc6e465\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	A383E5C2B05E613C4464C290EC341A21	6CDBC5CBC31CB08521FEBD43A382AC4046E7FBE5	16179FB8445E44C464816421FE5B15CDE3B8A3BC9C226E6F3AB0F56311427811
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_6995fa83d7b0318a43db0d33e1e8ff1c3499353_82810a17_12577480\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	52E712DC29F2F6F344AD9416CBF531FB	9C3F9F4564C154100025A9DB1448D61BB65F791E	649A67169BE17298E22BB527798F8B0C0568E681BE3DF9359E066F702A4FF4D3
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e1c7dc65b4f8892833bb6a965bb21678f4e1a_82810a17_11932288\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	A8CD37436DD55291AEFE3DE38A97E230	D637BBC284DE9B0D05BE24FAFF29C3060303B28B	A015EEA577F7F4100C025C92235B0BDCC297C59281A55ABA46ED076B2EE7A846
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e1c7dc65b4f8892833bb6a965bb21678f4e1a_82810a17_17936916\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	31FA4DC2FECF09081F39561EE652E953	2CE0ECF0B4051A4718E76D64EB06154F8E2DFB09	76C679665E76B0E15C4F8472855029F4C01FAF5F6E9A3A0D2497461D42CE92B7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER440A.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:57 2021, 0x1205a4 type	BC29969592FCE61CC7307FB86A9A16CC	F8A02FE31E154F32A7D780A00D170F16E35C6A18	9CE619DF22EB50415DFBB646A1893F6B1AC49DD210BBDC6E64C46DF538B038C9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5001.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	A54AF6B0E5BE70F66D1364DFEA66E293	3E7C61679DAE3534C7844A2533E25CFFAC6DACDC	BB5915E893B211C8C3EDAAABBFF410E54B37C53B7E478CC45410C900BE324D8F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER54A6.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D31D6603740CE9CE6E0E696F86C22AC4	7AF324A5773DA231069ED96BB9301F1F9DDD1155	D59E15291C5CDF0772FC20438B3A9B60730352A743F119A400A778B54FEFE044
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA0A.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:21 2021, 0x1205a4 type	B5E76FE7CE8FD6D4307D1853FAF2F6DB	64981726DF130BE566D82F82A8187D66E1326FAD	D86783105B9E35139FD4804CA936F773D19DADD0B5D86A8237407C779C79E01E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA48.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:21 2021, 0x1205a4 type	AF8F54F2D8735827C37F794B96787A7D	1CEAC03031CE26BFB9B6451D7D6A5D698BF9ADDF	1E649645DCB02410D73B927846BCEB7AE95060E4121AC7BBCCF413497E2F4B44
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC277.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	EFF0134F045E46E1192474917C62C2A8	150210F8BEB107014D03BDA39C6E8B0096387AD2	9DFC6C18094C27F0FABA373C78BCFB8766F8A5885C9BA29CAA2CC8BEB849E0C3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC371.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	F12BE363E51A81F887EDF21839B285DA	DCE576D1D5A11D26C281DB1092F333D67027EF24	BFFA931F6988EA1764084F5CB096E5B288691EF577D409C85D0E1DDCA59D07F2
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC566.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	699CC41587F86CAD1446EB8EA973833D	98EE477D0D7862B1CCB2E345D874856F147979F2	B503E7817E567D1269EA282A68A19C9B4A851F24F490382A4C3617326ABC6B73
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC65E.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:25 2021, 0x1205a4 type	44CC6081D6CB80DF9AE9CEF179A6218A	17E065CBF0150334085C49E28EB92C5C41568281	4AA10C796CA9DCAAF06F7A142C6E6EEE15B282A900D3D7D1E6FA2D5290010D7B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC68F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	10F58E17A07F4E81B4A09BDB9E4483A1	6F19E9FCA58A6FE6B2D35C6B7870B524947760A6	CDF44C3800A39E385C92BCA66A0C63439EE9421FA94A676AFC799CAD18C85DB8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A7.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E499F2C76629836DBE1245A34BDC675B	D89C46F462AB2B12F286630D314EFFFB31B2536A	7AC2E35783203637A969C6C3884A338C319B9E7B81D3150176EDE53CAA47EDA5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD94A.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:33 2021, 0x1205a4 type	FF37B9362F711225B025C77558F322E6	DEF70241888A46D351941386D4DB89BB4F89DD94	29B952E4749C3A2250F6C9BEDC86CF541E2C8E986F746334917C1B239EBA995D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA46.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	81BD8600CF33BA0CEBA52C9044BF5CBD	A29C85A9ABF035708DC3A87C8B7D1FC18449DD38	91F66D129E2D66868908101BC39123E91FBD470A1D17C96C57BB6E8FFFA9D8D2
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2DE.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	8465DB4319C6F16F21998A5B1003D154	306148AF3F82C2A7CB8FE4039F7D7B3A32004A20	2412CB9E17C290D6C7D8FBBF079618E9222C58824469AE796ED52965A205175C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF957.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DFDD032CDB874D482D455C803BE70853	C10B9EF458D0E6EDD93C4199DAEAE304D989432A	29DEDB49059C487BFA7922710252B7842B1DF53B93F5262C835F08E2A59A064C

Analysis Report utility.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map