Loading ...

Play interactive tourEdit tour

Analysis Report b8fe43e6_by_Libranalysis

Overview

General Information

Sample Name:b8fe43e6_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:404281
MD5:b8fe43e6e418db516c1deda8d2b1e8d0
SHA1:d6901a2528977ed284f9e6808a73029371cd2ecc
SHA256:6ea1efc4c1dd494c71fbfb23ea1fdc5530f9cbb6602993d96a74a7b014a96ee3
Tags:Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5604 cmdline: loaddll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5952 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5544 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5512 cmdline: rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6908 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 892 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6976 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7164 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3728 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5660 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 4512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_d09d9774ec98621253c28ca1027c73a9bab30_82810a17_1a23c1a4\Report.werSUSP_WER_Critical_HeapCorruptionDetects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)Florian Roth
  • 0x11c:$a1: ReportIdentifier=
  • 0x19e:$a1: ReportIdentifier=
  • 0x77a:$a2: .Name=Fault Module Name
  • 0x928:$s1: c0000374

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.500958542.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000013.00000002.497125131.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      0000000F.00000002.514739033.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000010.00000002.494023927.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          19.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            15.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              16.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                18.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 15.2.rundll32.exe.10000000.3.unpackMalware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: b8fe43e6_by_Libranalysis.dllMetadefender: Detection: 21%Perma Link
                  Source: b8fe43e6_by_Libranalysis.dllReversingLabs: Detection: 29%
                  Machine Learning detection for sampleShow sources
                  Source: b8fe43e6_by_Libranalysis.dllJoe Sandbox ML: detected
                  Source: 15.2.rundll32.exe.7f0000.1.unpackAvira: Label: TR/ATRAPS.Gen2
                  Source: 19.2.rundll32.exe.1a0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                  Source: 18.2.rundll32.exe.cf0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                  Source: 16.2.rundll32.exe.2db0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                  Source: b8fe43e6_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: b8fe43e6_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.343884757.000000000493B000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347640493.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.390865537.0000000005250000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499498394.0000000003092000.00000004.00000001.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501239275.00000000055A5000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: rasman.pdbe{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.342065583.0000000000A1F000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347540628.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499460892.000000000308C000.00000004.00000001.sdmp
                  Source: Binary string: fltLib.pdb$ source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: advapi32.pdb`n source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.501546084.00000000000F2000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdbVn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.345845744.0000000000A2B000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.348844819.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdbHn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb, source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486379544.0000000004B35000.00000004.00000040.sdmp
                  Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb/ source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdbw source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501239275.00000000055A5000.00000004.00000040.sdmp
                  Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 0000001C.00000002.509473746.0000000000922000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb5 source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: wUxTheme.pdbw{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: opengl32.pdbnn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: FGERN.pdb source: rundll32.exe, 00000014.00000002.514218411.0000000010025000.00000002.00020000.sdmp, b8fe43e6_by_Libranalysis.dll
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500685057.00000000055A2000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000A.00000003.342061380.0000000000A19000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347534673.0000000000678000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000A.00000003.344185164.0000000000A25000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347640493.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499498394.0000000003092000.00000004.00000001.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb3{4 source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: KERNEL32C:\Windows\System32\KERNEL32.DLLC:\Windows\System32\KERNEL32.DLLRSDSwkernel32.pdb source: WerFault.exe, 0000001C.00000002.509473746.0000000000922000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdbrn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb^' source: WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdbtn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb]& source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: glu32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486379544.0000000004B35000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdbZn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb/ source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb{{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.342065583.0000000000A1F000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347540628.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499460892.000000000308C000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdbxn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb\n source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb\! source: WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000A.00000003.342061380.0000000000A19000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347534673.0000000000678000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499438158.0000000003086000.00000004.00000001.sdmp
                  Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000A.00000003.345845744.0000000000A2B000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.348844819.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499549411.0000000003098000.00000004.00000001.sdmp
                  Source: Binary string: ClusApi.pdb{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 00000017.00000003.500685057.00000000055A2000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: dnsapi.pdbG{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 193.200.130.181:443
                  Source: Malware configuration extractorIPs: 95.138.161.226:2303
                  Source: Malware configuration extractorIPs: 167.114.113.13:4125
                  Source: Joe Sandbox ViewIP Address: 167.114.113.13 167.114.113.13
                  Source: Joe Sandbox ViewIP Address: 95.138.161.226 95.138.161.226
                  Source: Joe Sandbox ViewIP Address: 193.200.130.181 193.200.130.181
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: Joe Sandbox ViewASN Name: RACKSPACE-LONGB RACKSPACE-LONGB
                  Source: Joe Sandbox ViewASN Name: CLOUD-MANAGEMENT-LLCUS CLOUD-MANAGEMENT-LLCUS
                  Source: WerFault.exe, 0000000A.00000002.502947562.00000000009E9000.00000004.00000020.sdmpString found in binary or memory: http://crl.micr
                  Source: WerFault.exe, 0000000A.00000003.501370498.0000000004868000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro

                  E-Banking Fraud:

                  barindex
                  Yara detected Dridex unpacked fileShow sources
                  Source: Yara matchFile source: 00000012.00000002.500958542.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.497125131.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.514739033.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.494023927.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 19.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_1000149415_2_10001494
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_1001146015_2_10011460
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_1000846C15_2_1000846C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_1000A52C15_2_1000A52C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_10011D5815_2_10011D58
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_1001934815_2_10019348
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_1001075415_2_10010754
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_100090CC15_2_100090CC
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 752
                  Source: b8fe43e6_by_Libranalysis.dllBinary or memory string: OriginalFilenamej2pcsc.dllN vs b8fe43e6_by_Libranalysis.dll
                  Source: b8fe43e6_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_d09d9774ec98621253c28ca1027c73a9bab30_82810a17_1a23c1a4\Report.wer, type: DROPPEDMatched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
                  Source: b8fe43e6_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal76.troj.evad.winDLL@21/11@0/4
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5604
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5544
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5512
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6976
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA92F.tmpJump to behavior
                  Source: b8fe43e6_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYt
                  Source: b8fe43e6_by_Libranalysis.dllMetadefender: Detection: 21%
                  Source: b8fe43e6_by_Libranalysis.dllReversingLabs: Detection: 29%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll'
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYt
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 752
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 892
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllCanUnloadNow
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllGetClassObject
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddFileToInstance
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddParameter
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiCancel
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 608
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 756
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYtJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllCanUnloadNowJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllGetClassObjectJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddFileToInstanceJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddParameterJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiCancelJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1Jump to behavior
                  Source: b8fe43e6_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: b8fe43e6_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.343884757.000000000493B000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347640493.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.390865537.0000000005250000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499498394.0000000003092000.00000004.00000001.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501239275.00000000055A5000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: rasman.pdbe{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.342065583.0000000000A1F000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347540628.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499460892.000000000308C000.00000004.00000001.sdmp
                  Source: Binary string: fltLib.pdb$ source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: advapi32.pdb`n source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.501546084.00000000000F2000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdbVn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.345845744.0000000000A2B000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.348844819.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdbHn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb, source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486379544.0000000004B35000.00000004.00000040.sdmp
                  Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb/ source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdbw source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501239275.00000000055A5000.00000004.00000040.sdmp
                  Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 0000001C.00000002.509473746.0000000000922000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb5 source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: wUxTheme.pdbw{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: opengl32.pdbnn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: FGERN.pdb source: rundll32.exe, 00000014.00000002.514218411.0000000010025000.00000002.00020000.sdmp, b8fe43e6_by_Libranalysis.dll
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500685057.00000000055A2000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000A.00000003.342061380.0000000000A19000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347534673.0000000000678000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000A.00000003.344185164.0000000000A25000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347640493.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499498394.0000000003092000.00000004.00000001.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb3{4 source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: KERNEL32C:\Windows\System32\KERNEL32.DLLC:\Windows\System32\KERNEL32.DLLRSDSwkernel32.pdb source: WerFault.exe, 0000001C.00000002.509473746.0000000000922000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdbrn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb^' source: WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdbtn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb]& source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: glu32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486379544.0000000004B35000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdbZn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb/ source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb{{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.342065583.0000000000A1F000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347540628.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499460892.000000000308C000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdbxn source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb\n source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.483923294.0000000004B32000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb\! source: WerFault.exe, 00000017.00000003.501272551.00000000055A8000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000A.00000003.342061380.0000000000A19000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.347534673.0000000000678000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499438158.0000000003086000.00000004.00000001.sdmp
                  Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.352186128.0000000004E80000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.485947047.0000000004B30000.00000004.00000040.sdmp, WerFault.exe, 00000017.00000003.500658090.00000000055D1000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000A.00000003.345845744.0000000000A2B000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.348844819.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.499549411.0000000003098000.00000004.00000001.sdmp
                  Source: Binary string: ClusApi.pdb{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 00000017.00000003.500685057.00000000055A2000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.486881658.0000000004B38000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.352158662.0000000004EB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.482963978.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 00000017.00000003.501207923.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000002.519773343.0000000005391000.00000004.00000001.sdmp
                  Source: Binary string: dnsapi.pdbG{ source: WerFault.exe, 0000000A.00000003.352200487.0000000004E86000.00000004.00000040.sdmp
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_1000F6CC push esi; mov dword ptr [esp], 00000000h15_2_1000F6CD
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_10003A29 push ds; iretd 20_2_10003A2A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_10003866 pushfd ; iretd 20_2_10003867
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 20_2_10004B78 push esi; ret 20_2_10004B86
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.5511794748
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exe