Loading ...

Play interactive tourEdit tour

Analysis Report fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll

Overview

General Information

Sample Name:fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll
Analysis ID:399327
MD5:526bd61e387de23722e171a34dcd7016
SHA1:9007dece802951a0f29c9ab84085e7d1920099f6
SHA256:7d35c3abef65ed1d81d2f70944db31ba2a8cc703f1ccf8b82ca7b3929b8233e1
Tags:Trickbot
Infos:

Most interesting Screenshot:

Detection

Trickbot
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Trickbot
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 2272 cmdline: loaddll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4940 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1068 cmdline: rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • wermgr.exe (PID: 6176 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
        • WerFault.exe (PID: 6336 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4012 cmdline: rundll32.exe C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll,StartW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • wermgr.exe (PID: 6164 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
      • WerFault.exe (PID: 6320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 704 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6328 cmdline: rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',StartW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • wermgr.exe (PID: 6380 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
      • WerFault.exe (PID: 6480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 712 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "2000029", "gtag": "che7", "servs": ["103.66.72.217:443", "117.252.68.211:443", "103.124.173.35:443", "115.73.211.230:443", "117.54.250.246:443", "131.0.112.122:443", "69.109.35.254:20445", "43.17.158.63:36366", "130.180.24.227:44321", "131.168.228.35:19932", "185.31.222.247:49372", "151.187.13.249:46881", "190.186.36.209:40737", "42.139.161.213:11056", "23.95.165.4:64265", "189.169.15.32:42761", "125.6.227.80:58405", "217.159.190.123:8412", "47.106.66.231:10710", "46.136.156.92:5385"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.364114449.0000000004A50000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    00000005.00000002.368401033.0000000004B00000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
      0000000C.00000002.358957054.0000000004FA0000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
        00000004.00000002.316290050.0000000000C50000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
          00000004.00000002.301654688.0000000000BB0000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.4b00000.3.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
              5.2.rundll32.exe.4b00000.3.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
                12.2.rundll32.exe.4fa0000.3.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
                  5.2.rundll32.exe.32b0000.1.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
                    12.2.rundll32.exe.3410000.1.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000002.364114449.0000000004A50000.00000040.00000001.sdmpMalware Configuration Extractor: Trickbot {"ver": "2000029", "gtag": "che7", "servs": ["103.66.72.217:443", "117.252.68.211:443", "103.124.173.35:443", "115.73.211.230:443", "117.54.250.246:443", "131.0.112.122:443", "69.109.35.254:20445", "43.17.158.63:36366", "130.180.24.227:44321", "131.168.228.35:19932", "185.31.222.247:49372", "151.187.13.249:46881", "190.186.36.209:40737", "42.139.161.213:11056", "23.95.165.4:64265", "189.169.15.32:42761", "125.6.227.80:58405", "217.159.190.123:8412", "47.106.66.231:10710", "46.136.156.92:5385"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}
                      Yara detected TrickbotShow sources
                      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 6380, type: MEMORY
                      Source: fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 117.252.68.211:443 -> 192.168.2.5:49712 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 117.252.68.211:443 -> 192.168.2.5:49717 version: TLS 1.0
                      Source: fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: powrprof.pdbx\6'r source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbX source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.248508121.0000000000D48000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.254112821.0000000003472000.00000004.00000001.sdmp
                      Source: Binary string: winspool.pdbD source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb* source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdbp source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.248501832.0000000000D42000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.251016998.00000000033F3000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.254564829.000000000346C000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdbf\ source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbs source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.250318981.00000000033FF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.254424830.0000000003478000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb, source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb_ source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbr\0'i source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbqI7'd source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdbB source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbL source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.248501832.0000000000D42000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.251016998.00000000033F3000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdba source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb#d source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbz source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdbZ\ source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbf source: WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdbm source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbN source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbA7 source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb)I source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbg source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdbh source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb~\<'e source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdby source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbl\ source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbf source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.249353922.0000000000D4E000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.250318981.00000000033FF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.254424830.0000000003478000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbV source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.248508121.0000000000D48000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.250294762.00000000033F9000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.254112821.0000000003472000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb| source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb`\ source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbe source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbE source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE4800 FindFirstFileW,14_2_0000024B66AE4800
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AEAC30 FindFirstFileW,FindNextFileW,14_2_0000024B66AEAC30
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_000002360243A940
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec edi6_2_00000236024459A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_000002360244B5B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi6_2_000002360245423F
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_000002360244EA50
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp6_2_0000023602434670
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi6_2_00000236024542CD
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_0000023602452EE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi6_2_00000236024542EF
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi6_2_00000236024542AF
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi6_2_0000023602454336
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi6_2_0000023602454355
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_000002360243BB70
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_0000023602450B70
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi6_2_000002360245431B
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx6_2_0000023602439380
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp6_2_0000023602436B90
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx6_2_0000023602440060
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_0000023602440060
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_000002360244F460
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [eax]6_2_000002360243AC30
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx6_2_00000236024438C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_00000236024438C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_00000236024484D0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, word ptr [eax+02h]6_2_000002360243E8E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_000002360244DCE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp6_2_00000236024354F0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_00000236024408F0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp6_2_0000023602437890
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax6_2_0000023602452CB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx6_2_000002360243E570
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 000002360244A610h6_2_0000023602446510
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D2A940
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx7_2_0000023538D30060
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D30060
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D3F460
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp7_2_0000023538D27890
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [eax]7_2_0000023538D2AC30
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx7_2_0000023538D2E570
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D308F0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp7_2_0000023538D254F0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, word ptr [eax+02h]7_2_0000023538D2E8E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D3DCE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 0000023538D3A610h7_2_0000023538D36510
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D42CB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D384D0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx7_2_0000023538D338C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D338C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp7_2_0000023538D24670
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D3EA50
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi7_2_0000023538D4423F
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D3B5B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec edi7_2_0000023538D359A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D2BB70
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D40B70
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi7_2_0000023538D44355
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp7_2_0000023538D26B90
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx7_2_0000023538D29380
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi7_2_0000023538D4431B
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi7_2_0000023538D44336
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi7_2_0000023538D442EF
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax7_2_0000023538D42EE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi7_2_0000023538D442AF
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi7_2_0000023538D442CD
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [eax]14_2_0000024B66AEAC30
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AEA940
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp14_2_0000024B66AE6B90
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AEBB70
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66B00B70
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx14_2_0000024B66AE9380
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi14_2_0000024B66B0431B
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi14_2_0000024B66B042EF
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi14_2_0000024B66B04355
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi14_2_0000024B66B04336
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp14_2_0000024B66AE7890
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AFDCE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AF84D0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp14_2_0000024B66AE64E6
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, word ptr [eax+02h]14_2_0000024B66AEE8E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66B02CB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx14_2_0000024B66AF38C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AF38C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AFF460
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx14_2_0000024B66AF0060
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AF0060
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec edi14_2_0000024B66AF59A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx14_2_0000024B66AEE570
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AFB5B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 0000024B66AFA610h14_2_0000024B66AF6510
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AF08F0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp14_2_0000024B66AE54F0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp14_2_0000024B66AE4670
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66B02EE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi14_2_0000024B66B042CD
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi14_2_0000024B66B042AF
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax14_2_0000024B66AFEA50
                      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, esi14_2_0000024B66B0423F

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: C:\Windows\System32\wermgr.exeDNS query: name: ipinfo.io
                      Source: C:\Windows\System32\wermgr.exeDNS query: name: ipinfo.io
                      Source: Joe Sandbox ViewASN Name: BSNL-NIBNationalInternetBackboneIN BSNL-NIBNationalInternetBackboneIN
                      Source: Joe Sandbox ViewJA3 fingerprint: 8916410db85077a5460817142dcbc8de
                      Source: unknownHTTPS traffic detected: 117.252.68.211:443 -> 192.168.2.5:49712 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 117.252.68.211:443 -> 192.168.2.5:49717 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: unknownTCP traffic detected without corresponding DNS query: 117.252.68.211
                      Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.74.0Host: ipinfo.io
                      Source: unknownDNS traffic detected: queries for: ipinfo.io
                      Source: wermgr.exe, 0000000E.00000003.364146908.0000024B000C7000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 00000011.00000002.329242454.0000000005150000.00000004.00000001.sdmpString found in binary or memory: http://crl.mm
                      Source: wermgr.exe, 0000000E.00000002.645299859.0000024B66CB8000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.14.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabn
                      Source: wermgr.exe, 0000000E.00000003.354988320.0000024B00061000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/o
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: http://ipinfo.io/ip
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: http://ipinfo.io:80/ip
                      Source: wermgr.exe, 0000000E.00000002.635627648.0000024B00055000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/
                      Source: wermgr.exe, 0000000E.00000002.644986028.0000024B66C78000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/I
                      Source: wermgr.exe, 00000007.00000002.637747793.0000023538F6E000.00000004.00000020.sdmp, wermgr.exe, 00000007.00000002.637307214.0000023538F21000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.01BBF31298B77829737BB7961939977F/5/kps/
                      Source: wermgr.exe, 00000007.00000002.637307214.0000023538F21000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.01BBF31298B77829737BB7961939977F/5/kps/~
                      Source: wermgr.exe, 0000000E.00000002.645516304.0000024B66CDA000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/0/Windows%2010%20x64/1
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/14/DNSBL/listed/0/
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/14/DNSBL/listed/0/EW
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/14/DNSBL/listed/0/w
                      Source: wermgr.exe, 0000000E.00000002.645516304.0000024B66CDA000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/14/path/C:%5CUsers%5Ca
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/14/user/user/0/T
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/23/2000029/
                      Source: wermgr.exe, 0000000E.00000002.636931274.0000024B000C7000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/23/2000029/$
                      Source: wermgr.exe, 0000000E.00000002.636931274.0000024B000C7000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/23/2000029///0/
                      Source: wermgr.exe, 0000000E.00000002.645446388.0000024B66CD5000.00000004.00000020.sdmp, wermgr.exe, 0000000E.00000002.644986028.0000024B66C78000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/5/kps/
                      Source: wermgr.exe, 0000000E.00000002.635627648.0000024B00055000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/der
                      Source: wermgr.exe, 0000000E.00000002.635627648.0000024B00055000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/derMHZ:2
                      Source: wermgr.exe, 0000000E.00000002.635627648.0000024B00055000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211/rguH2:(
                      Source: wermgr.exe, 00000007.00000002.637461915.0000023538F3C000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/vider
                      Source: wermgr.exe, 00000007.00000002.637461915.0000023538F3C000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/viderk
                      Source: wermgr.exe, 00000007.00000002.637461915.0000023538F3C000.00000004.00000020.sdmpString found in binary or memory: https://117.252.68.211/videro
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211:443/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/14/DNSBL/listed/0/
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211:443/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/14/user/user/0/
                      Source: wermgr.exe, 0000000E.00000002.635264188.0000024B00000000.00000004.00000001.sdmpString found in binary or memory: https://117.252.68.211:443/che7/066656_W10017134.9E37716DC9BB3F4BF1D83E6BCFD1DB93/23/2000029/Q
                      Source: wermgr.exe, 0000000E.00000002.636931274.0000024B000C7000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemet
                      Source: wermgr.exe, 0000000E.00000002.636931274.0000024B000C7000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetpinfo.io/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

                      E-Banking Fraud:

                      barindex
                      Yara detected TrickbotShow sources
                      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 6380, type: MEMORY
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0000023602440E30 NtQuerySystemInformation,DuplicateHandle,RtlDeleteBoundaryDescriptor,6_2_0000023602440E30
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360243B040 NtDelayExecution,6_2_000002360243B040
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D2B040 NtDelayExecution,7_2_0000023538D2B040
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D30E30 NtQuerySystemInformation,DuplicateHandle,RtlDeleteBoundaryDescriptor,7_2_0000023538D30E30
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AEB040 NtDelayExecution,14_2_0000024B66AEB040
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AF0E30 NtQuerySystemInformation,DuplicateHandle,14_2_0000024B66AF0E30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD3C19C4_2_6DD3C19C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD3A8534_2_6DD3A853
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD84DDD4_2_6DD84DDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD321C04_2_6DD321C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD696604_2_6DD69660
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD363694_2_6DD36369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD310004_2_6DD31000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD7260C4_2_6DD7260C
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0000023602440E306_2_0000023602440E30
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0000023602448FF06_2_0000023602448FF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0000023602442CB06_2_0000023602442CB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024385C06_2_00000236024385C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024325D06_2_00000236024325D0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024459A06_2_00000236024459A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360244C1A06_2_000002360244C1A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024385B06_2_00000236024385B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360244D6706_2_000002360244D670
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360244FE106_2_000002360244FE10
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024356206_2_0000023602435620
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360243F6306_2_000002360243F630
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0000023602449ED06_2_0000023602449ED0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0000023602431AF06_2_0000023602431AF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024397506_2_0000023602439750
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360244A7606_2_000002360244A760
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360243BB706_2_000002360243BB70
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024403006_2_0000023602440300
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0000023602432B106_2_0000023602432B10
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024503206_2_0000023602450320
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024333E06_2_00000236024333E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360243DBE06_2_000002360243DBE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360243CBF06_2_000002360243CBF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360243EFB06_2_000002360243EFB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360244BC406_2_000002360244BC40
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024488006_2_0000023602448800
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360243E8E06_2_000002360243E8E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000002360244D0A06_2_000002360244D0A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024370B06_2_00000236024370B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00000236024331606_2_0000023602433160
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D38FF07_2_0000023538D38FF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D32CB07_2_0000023538D32CB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D30E307_2_0000023538D30E30
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D3BC407_2_0000023538D3BC40
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D2CBF07_2_0000023538D2CBF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D2DBE07_2_0000023538D2DBE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D233E07_2_0000023538D233E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D388007_2_0000023538D38800
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D2EFB07_2_0000023538D2EFB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D231607_2_0000023538D23160
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D2E8E07_2_0000023538D2E8E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D270B07_2_0000023538D270B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D3D0A07_2_0000023538D3D0A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D3D6707_2_0000023538D3D670
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D2F6307_2_0000023538D2F630
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D256207_2_0000023538D25620
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D3FE107_2_0000023538D3FE10
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D285B07_2_0000023538D285B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D359A07_2_0000023538D359A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D3C1A07_2_0000023538D3C1A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D225D07_2_0000023538D225D0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D285C07_2_0000023538D285C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D2BB707_2_0000023538D2BB70
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D3A7607_2_0000023538D3A760
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D403207_2_0000023538D40320
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D297507_2_0000023538D29750
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D21AF07_2_0000023538D21AF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D22B107_2_0000023538D22B10
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D303007_2_0000023538D30300
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D39ED07_2_0000023538D39ED0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AEDBE014_2_0000024B66AEDBE0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE975014_2_0000024B66AE9750
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AF2CB014_2_0000024B66AF2CB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AF8FF014_2_0000024B66AF8FF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AFFE1014_2_0000024B66AFFE10
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AF0E3014_2_0000024B66AF0E30
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AEBB7014_2_0000024B66AEBB70
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE33E014_2_0000024B66AE33E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AEEFB014_2_0000024B66AEEFB0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66B0032014_2_0000024B66B00320
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE2B1014_2_0000024B66AE2B10
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE1AF014_2_0000024B66AE1AF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AF030014_2_0000024B66AF0300
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AFA76014_2_0000024B66AFA760
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AFD0A014_2_0000024B66AFD0A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AEE8E014_2_0000024B66AEE8E0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE70B014_2_0000024B66AE70B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AECBF014_2_0000024B66AECBF0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AF880014_2_0000024B66AF8800
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AFBC4014_2_0000024B66AFBC40
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AFC1A014_2_0000024B66AFC1A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AF59A014_2_0000024B66AF59A0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE25D014_2_0000024B66AE25D0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE85B014_2_0000024B66AE85B0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE85C014_2_0000024B66AE85C0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE316014_2_0000024B66AE3160
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AFD67014_2_0000024B66AFD670
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AF9ED014_2_0000024B66AF9ED0
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE562014_2_0000024B66AE5620
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AEF63014_2_0000024B66AEF630
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 704
                      Source: fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal88.troj.evad.winDLL@18/14@6/2
                      Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0000023602431140 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,6_2_0000023602431140
                      Source: C:\Windows\System32\wermgr.exeCode function: 7_2_0000023538D21140 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,7_2_0000023538D21140
                      Source: C:\Windows\System32\wermgr.exeCode function: 14_2_0000024B66AE1140 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,14_2_0000024B66AE1140
                      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{AEA18584-0038-9132-02E4-0103AD92A638}
                      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A4C9D524-837C-DBA0-D23E-0C8E604322CF}
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4012
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1068
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6328
                      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4D3FAD72-FE30-7ED6-EA1F-2C351733F4E2}
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER63EC.tmpJump to behavior
                      Source: fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
                      Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll,StartW
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll,StartW
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 704
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',StartW
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 712
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 712
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll,StartWJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',StartWJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
                      Source: fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dllStatic file information: File size 1375832 > 1048576
                      Source: fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: fTXDq_9l7R2B0vcJRNsxuiqMxwPxzPi4LKezkpuCM_E.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: powrprof.pdbx\6'r source: WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbX source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.248508121.0000000000D48000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.254112821.0000000003472000.00000004.00000001.sdmp
                      Source: Binary string: winspool.pdbD source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.254702397.00000000050B6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255956920.0000000005506000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb* source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdbp source: WerFault.exe, 00000011.00000003.262206454.00000000056B6000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.254673935.0000000004F81000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.255887896.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.262174486.00000000054E1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.254685789.00000000050B0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.255938267.0000000005500000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.262190349.00000000056B0000.00000004.00000040.sdmp