Play interactive tour

Edit tour

Analysis Report b8fe43e6_by_Libranalysis.dll

Overview

General Information

Sample Name:	b8fe43e6_by_Libranalysis.dll
Analysis ID:	404281
MD5:	b8fe43e6e418db516c1deda8d2b1e8d0
SHA1:	d6901a2528977ed284f9e6808a73029371cd2ecc
SHA256:	6ea1efc4c1dd494c71fbfb23ea1fdc5530f9cbb6602993d96a74a7b014a96ee3
Tags:	Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 3440 cmdline: loaddll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 748 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4308 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 4872 cmdline: rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5804 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 928 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5012 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5584 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5984 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 5408 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1540 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 4868 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 2992 cmdline: rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 592 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_14ccacb0\Report.wer	SUSP_WER_Critical_HeapCorruption	Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)	Florian Roth	0x11c:$a1: ReportIdentifier= 0x19e:$a1: ReportIdentifier= 0x77c:$a2: .Name=Fault Module Name 0x92a:$s1: c0000374
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_15960134\Report.wer	SUSP_WER_Critical_HeapCorruption	Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)	Florian Roth	0x11c:$a1: ReportIdentifier= 0x19e:$a1: ReportIdentifier= 0x77c:$a2: .Name=Fault Module Name 0x92a:$s1: c0000374

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.319669645.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0000000E.00000002.508405048.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000012.00000002.513324135.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000010.00000002.509454632.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000014.00000002.505756712.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000011.00000002.512489931.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
14.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
16.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
20.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
18.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
17.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 14.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Multi AV Scanner detection for submitted file

Show sources

Source: b8fe43e6_by_Libranalysis.dll	Metadefender: Detection: 21%			Perma Link
Source: b8fe43e6_by_Libranalysis.dll	ReversingLabs: Detection: 29%

Machine Learning detection for sample

Show sources

Source: b8fe43e6_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.d80000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.2.rundll32.exe.5e0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 18.2.rundll32.exe.3400000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.2.rundll32.exe.f40000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.b30000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.2.rundll32.exe.8d0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 17.2.rundll32.exe.33e0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 20.2.rundll32.exe.32d0000.1.unpack	Avira: Label: TR/ATRAPS.Gen2

Source: b8fe43e6_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: b8fe43e6_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: FGERN.pdb source: b8fe43e6_by_Libranalysis.dll

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 193.200.130.181:443
Source: Malware configuration extractor	IPs: 95.138.161.226:2303
Source: Malware configuration extractor	IPs: 167.114.113.13:4125

Source: Joe Sandbox View	IP Address: 167.114.113.13 167.114.113.13
Source: Joe Sandbox View	IP Address: 95.138.161.226 95.138.161.226
Source: Joe Sandbox View	IP Address: 193.200.130.181 193.200.130.181

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: RACKSPACE-LONGB RACKSPACE-LONGB
Source: Joe Sandbox View	ASN Name: CLOUD-MANAGEMENT-LLCUS CLOUD-MANAGEMENT-LLCUS

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 00000003.00000002.319669645.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.508405048.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.513324135.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.509454632.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.505756712.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.512489931.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100090CC

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 760

Source: b8fe43e6_by_Libranalysis.dll

Binary or memory string: OriginalFilenamej2pcsc.dllN vs b8fe43e6_by_Libranalysis.dll

Source: b8fe43e6_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_14ccacb0\Report.wer, type: DROPPED	Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_15960134\Report.wer, type: DROPPED	Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =

Source: b8fe43e6_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.evad.winDLL@24/28@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5012
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4868
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4308
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5408
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3440
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5984
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4872

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9475.tmp

Jump to behavior

Source: b8fe43e6_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYt

Source: b8fe43e6_by_Libranalysis.dll	Metadefender: Detection: 21%
Source: b8fe43e6_by_Libranalysis.dll	ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 760
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 928
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddFileToInstance
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddParameter
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiCancel
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 756
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 756
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 756
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 756
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 592
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYt
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddFileToInstance
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddParameter
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiCancel
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1

Source: b8fe43e6_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: b8fe43e6_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: FGERN.pdb source: b8fe43e6_by_Libranalysis.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h

Source: initial sample

Static PE information: section name: .text entropy: 7.5511794748

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\SysWOW64\rundll32.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery11	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
b8fe43e6_by_Libranalysis.dll	21%	Metadefender		Browse
b8fe43e6_by_Libranalysis.dll	30%	ReversingLabs	Win32.Trojan.Phonzy
b8fe43e6_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.d80000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
16.2.rundll32.exe.5e0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
14.2.rundll32.exe.5e0607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.d50607.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.33c0607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.b10607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.5c0607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
18.2.rundll32.exe.33e0607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
18.2.rundll32.exe.3400000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
2.2.rundll32.exe.f20607.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.f40000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
3.2.rundll32.exe.b30000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
20.2.rundll32.exe.34b0607.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.rundll32.exe.8d0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
17.2.rundll32.exe.33e0000.2.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File
20.2.rundll32.exe.32d0000.1.unpack	100%	Avira	TR/ATRAPS.Gen2	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
167.114.113.13	unknown	Canada	16276	OVHFR	true
95.138.161.226	unknown	United Kingdom	15395	RACKSPACE-LONGB	true
193.200.130.181	unknown	unknown	42960	CLOUD-MANAGEMENT-LLCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404281
Start date:	04.05.2021
Start time:	21:44:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 43s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	b8fe43e6_by_Libranalysis.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@24/28@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.1% (good quality ratio 91.7%) Quality average: 74.8% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 66% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 23.57.80.111, 2.20.142.209, 2.20.142.210, 104.42.151.234, 104.43.193.48, 52.147.198.201 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
167.114.113.13	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse
95.138.161.226	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse
193.200.130.181	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKSPACE-LONGB	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
CLOUD-MANAGEMENT-LLCUS	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse	193.200.130.181
OVHFR	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_14ccacb0\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12696
Entropy (8bit):	3.772807661829043
Encrypted:	false
SSDEEP:	192:tLi9y0oXyRH4+V/Ojed+iIR/u7sKS274ItWcY:himXyh4+VGjec/u7sKX4ItWcY
MD5:	8A2F59A105E101E23E78ACC0218D5756
SHA1:	052FF51A4D5468E70A5B6D67D55AEE22B30CFBA3
SHA-256:	6DD953497B09FD728FE138CC13714D8854C3D5FAC254FB388FC76A5ABCF9FA25
SHA-512:	5008C69E9BE5993EF9F5FF10A83488E75DB27525CFE3BDDE3D537D3DC2230DD2F5F484C43DC61A49D6E3EDDB5315D14D0209BD6C0FC511DCB04A5786065EA182
Malicious:	false
Yara Hits:	Rule: SUSP_WER_Critical_HeapCorruption, Description: Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_14ccacb0\Report.wer, Author: Florian Roth
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.6.8.4.2.8.9.9.0.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.6.8.6.2.8.5.3.0.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.8.f.4.9.7.4.-.a.0.c.a.-.4.1.1.f.-.b.5.a.5.-.8.d.d.f.8.e.b.2.4.b.f.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.2.e.7.9.e.6.-.f.6.5.b.-.4.0.8.7.-.b.4.3.f.-.5.7.7.a.f.4.c.b.8.3.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.d.4.-.0.0.0.1.-.0.0.1.7.-.2.8.9.7.-.4.2.b.a.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_15960134\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12698
Entropy (8bit):	3.771932163227197
Encrypted:	false
SSDEEP:	192:hrMeih0oXnRH4+V/Ojed+igR/u7svS274ItWci:9TiPXnh4+VGje0/u7svX4ItWci
MD5:	9A9050AF35493FDC046A0F2A5ADA6187
SHA1:	C5E499E6FDCA0794741F55ADEE04E1DC38DFEEBE
SHA-256:	5D4E9C26992329CD6F1A8B139A71AABA5517CF6C55CF9AFEFED4B9CB709D98C4
SHA-512:	33021E3E5A3AE71853E18399A5AB0ACDFE7C0D71DD41AB31E0A8B07A969BF3DB822948D1C8FF92907B1AFF2D8DAC7AA77ED0040D588A7D098EDEC66A4C14062E
Malicious:	false
Yara Hits:	Rule: SUSP_WER_Critical_HeapCorruption, Description: Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_15960134\Report.wer, Author: Florian Roth
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.7.6.8.6.6.3.6.9.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.7.7.6.4.1.3.6.7.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.2.1.1.1.a.6.-.3.d.8.4.-.4.0.1.e.-.b.a.4.0.-.9.6.a.d.f.7.0.a.3.0.4.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.5.2.d.6.7.a.-.c.b.7.7.-.4.5.6.f.-.8.1.8.1.-.2.3.1.9.b.d.4.9.2.a.d.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.9.4.-.0.0.0.1.-.0.0.1.7.-.d.f.3.2.-.d.d.d.9.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_101203e3\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12764
Entropy (8bit):	3.7717428493022966
Encrypted:	false
SSDEEP:	192:Jdg5iX0oXCHBUZMX4jed+igR/u7svS274It7cb:DyipXaBUZMX4je0/u7svX4It7cb
MD5:	1D9EFCB3DC118BEB1DEB8C569061287B
SHA1:	3BB8D01D2175D4833FF49207567C237C1DD91DF8
SHA-256:	DC410BDD1213B2F43F8E995271B9A5DEAB187DF17CDD56CCFB312F0FC6F34BEC
SHA-512:	4C793C2A5A808B3F6E2821F2F6420D37E051FE373ACEF4B8F7D8F44F814F364619D13AE33BCC25B391D9E317379A9F1D900B5596448B29971F8E5057B4BEA9F6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.7.7.1.4.9.1.8.1.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.7.7.7.1.4.8.0.4.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.0.0.c.0.d.2.-.9.2.6.0.-.4.d.4.d.-.9.d.0.3.-.8.b.c.9.5.d.c.b.1.2.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.8.0.7.e.b.e.-.6.7.e.b.-.4.b.6.8.-.b.6.d.4.-.a.d.8.7.f.4.9.d.e.5.f.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.0.-.0.0.0.1.-.0.0.1.7.-.9.8.2.9.-.0.8.d.a.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_b66299609d435dc6d436af20ef404ad1f7dd29c2_82810a17_13f60d1b\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12682
Entropy (8bit):	3.768920244119495
Encrypted:	false
SSDEEP:	192:RmiE0oXNL3HBUZMX4jed+igR/u7svS274ItWcG:MiyXNrBUZMX4je0/u7svX4ItWcG
MD5:	6720C3471EEE71B1241EF9B95B04D43E
SHA1:	3CF3666D7A351AD8E807367B3CFCA55CCA7B697E
SHA-256:	8378EA8DF0C1FF4F15E3312620D5B664B4AF70A23EC0C207BD6B4E99CE12FE40
SHA-512:	07BB14BF42AB7B4C70EB3D9986A4C0D71DD663A8E3AE2D9A0B9DB59E3A84941888DC6B6F48C019F86B92F6AE6B6010C53484944D52A2AC0ED9130E135C30EE6E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.7.7.6.8.5.1.1.7.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.7.7.9.2.1.0.5.4.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.0.a.f.8.8.7.-.c.7.4.1.-.4.a.b.6.-.9.1.d.9.-.d.6.e.3.9.a.6.a.4.a.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.c.b.1.5.9.9.-.b.3.9.4.-.4.7.8.8.-.8.8.b.7.-.4.2.0.5.6.a.4.4.1.1.5.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.0.4.-.0.0.0.1.-.0.0.1.7.-.9.0.c.4.-.6.7.d.a.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_fd713208f5835c7ef2b9edc915523e535d24f6_82810a17_06420ae8\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12682
Entropy (8bit):	3.7686287414091635
Encrypted:	false
SSDEEP:	192:9Ai4Oin0oXGVxHBUZMX4jed+igR/u7svS274ItWcW:1iZXGTBUZMX4jeU/u7svX4ItWcW
MD5:	D5A543FCF617A53047391FA79B6BB0D2
SHA1:	C5C806E1DE4F14A0234405E7A168AF03C1C5E61B
SHA-256:	CBEFF017D5A0096CAE4F8837BE31AE35B840BB6FAFED61AC991DAD5A68E31CD8
SHA-512:	CDCD70619E510CBC5A454AB9A738D7F2FC85D1E6FFC6F1D8E7633E13FE07BE9FD2EC1056337DC1BF8E18132EA8A8EAC6A4636A1E14A7A5E6A85AC461FD04FCFA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.7.7.6.7.4.1.7.9.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.7.7.8.8.9.8.0.4.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.2.2.4.6.8.e.-.a.4.4.7.-.4.2.b.9.-.9.3.0.f.-.d.0.5.3.4.9.7.f.8.5.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.f.7.2.6.5.6.-.7.0.f.8.-.4.e.c.c.-.a.a.b.9.-.7.5.c.3.1.4.4.6.c.8.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.0.-.0.0.0.1.-.0.0.1.7.-.a.a.6.d.-.4.2.d.a.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_97ddcb6e334012c795b269b0febf6434961ab49_160cf2be_07f693b0\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	10086
Entropy (8bit):	3.7648879788229883
Encrypted:	false
SSDEEP:	96:t6AXy+y9hAtFaM056tpXIQcQ6c6n+hcEZcw3P+a+z+HbHgzFpAoXOgtYsASonj+K:WWFHUb+hjbjG7g/u7svS274Itb2u
MD5:	794F5EE3AFD496B22C5AE33B871528AF
SHA1:	FA78FB2D08774AB9E94786FA64B44BD346CAE91B
SHA-256:	459F9CDC01C84A7BDB1406D46A1FA41434BC1CAC9DB4F1DE3D7F6B34884162FC
SHA-512:	A6F5BA64E7BAA2A0ED44E1EA999825792BB7FE871AE50D3515983EF65977D0B5A34878D9C0375A2423C3C1F4C2B9761C9C104B566CDD69D44D32492F764A5BF1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.8.1.4.3.6.6.7.1.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.c.c.6.8.e.0.-.c.3.3.1.-.4.7.0.0.-.9.f.b.1.-.8.b.9.f.2.8.1.a.1.2.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.7.a.f.b.b.b.-.2.b.1.a.-.4.6.8.6.-.9.c.7.9.-.b.a.6.f.8.5.d.3.f.e.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.7.0.-.0.0.0.1.-.0.0.1.7.-.9.a.8.c.-.e.1.b.9.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a6e5673309e41777fbcceb355472075a2d98e3b_82810a17_16e8b22e\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12860
Entropy (8bit):	3.7599037631496284
Encrypted:	false
SSDEEP:	192:1i5iE0oXKFHVzOMjed+iYs/u7sKS274It7cT:1i5iyXgVzOMjeB/u7sKX4It7cT
MD5:	98ABE178E3ABF9EB668F1B1D5872DE2A
SHA1:	100975FCBAD81CF2E578A2D2BCE83BC1327AE577
SHA-256:	0E5408D503280B4982C256B7497E8CB1A5415B5C46949BB71A042B1AECD76C0E
SHA-512:	26FDC68583DBE7881E2E095C5AC3A892EDC321AD3B725BEF2AA383E6D0FD92E72751C19E2BE11F94C8B9D4C6FB81944A0214C7FDA0CDFB3AA791F6DAD8576090
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.6.9.0.3.3.5.7.5.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.7.c.8.7.9.7.-.1.f.b.0.-.4.c.c.b.-.b.f.c.4.-.4.9.2.8.a.9.5.b.7.5.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.5.b.9.6.e.4.-.3.3.b.6.-.4.c.7.b.-.9.1.6.7.-.7.f.d.6.c.9.f.a.a.0.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.0.8.-.0.0.0.1.-.0.0.1.7.-.0.7.f.b.-.3.e.b.a.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A6.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6969170915314
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiU069B6YRv61TNgmfT3GS0CprD89bJfsfESjm:RrlsNi/6r6Y561TNgmfTWSIJEfi
MD5:	83EE80F83555E155D4E6F8C290163C83
SHA1:	8F75252ADC162668763265392AE51313FE4444FC
SHA-256:	DA12AA73FD5E4B489EE69F761BAEBB82018DD77F52221C5A7444DCE2BB08CD01
SHA-512:	A66B60130741AE37FD38EE5DB251280810FD213533E6A1777415ED94D7CFC0C940333DCE633C7C05CF878494F1DDDC35049745AFBF80038A659606FC63E0882E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AF.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6964706101291984
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNifn69l6YRVE61TNgmfT3sS0CprJ89bJ8sf6jm:RrlsNif6v6YjE61TNgmfT8SqJPfX
MD5:	BCF747BF3D53D1B5A8D14F8F57A0AD2A
SHA1:	FE6AC825C5A7292A9C99B022B165ABFCC50EEC67
SHA-256:	697F166ECB868306B2457071EF2A8C15B824BC9B82F91E3C07249027155D92C0
SHA-512:	2AA1D7214ACE2C84686C00A226AF6DF7B487EBFD08437168D9DEC4CF662EA6EF269C28926333A4ACC722C0A7489A0048DE5806C1F8F3B296D9ED1984E0E04435
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.6.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53D.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.476151288026438
Encrypted:	false
SSDEEP:	48:cvIwSD8zswJgtWI9CMWSC8Beb8fm8M4JCdstN4xFN+q8/YNGnpV4SrSO6d:uITf25lSNzJfN4JPNGvDWHd
MD5:	722D834E41F5EEA7B44C740205A252F7
SHA1:	229BE92DE4D92FD57739277B655916D31F3F707D
SHA-256:	4C75EF43840CDC5ADB9E0AD416D0589C463B99F3B8C39EFE3B4C244739458E7E
SHA-512:	15A566D833F99DD589996AFE8C5C029118F3EDE61B56526FF1F6C5617ED4613995EBE4693B9CE9D19F67644BF7E3F1D6860956088F4FAEC144BCECEA514655AC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975720" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D9.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.47786313728854
Encrypted:	false
SSDEEP:	48:cvIwSD8zswJgtWI9CMWSC8BJ8fm8M4JCdstN4lFfl+q8/YNGPbI4SrSBd:uITf25lSNQJfN4/lPNGjIDWBd
MD5:	1202A42B5C8E5659CFD6413F63A8DAD7
SHA1:	D28B2CF4C6D8AB56DE9BFC71A49F1F4BB84C0074
SHA-256:	15CA53D0615D6831C000F6635A7C7C1A6C7AD4CFC7985424B341333279687938
SHA-512:	744A7A680B2088A215A97EB5F74CBAE808BFC53C9AA595A8C55AFA7B667CB884C0C764F298A5F2CCF0EFCBE8D23B1FD3C1282E15CB43F1F4944D47BFCE5C9502
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975720" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9093.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed May 5 04:50:14 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	28502
Entropy (8bit):	2.6942945176282986
Encrypted:	false
SSDEEP:	192:n8POgUNoY5zp5Drzv/4jsr0Oadvwqz9ArI7yXYTMby:8POgioojnzvzgOaeqpAroyXYQy
MD5:	B1773058BE36AEE4302D18E663B8A81B
SHA1:	299EC23A6B892EF4A76345C28EF3EC80467C5A4C
SHA-256:	7902E00AD5C92E18E2548582806B0CFC6A05D714C2E1585B936477D9791D5AE5
SHA-512:	B2A93F0C00B097E2ED38CAF3F79DF1165BE0D017560E27DE10F276D65260F6B47D6BD56A38A542E24BBAAD36855FA03C24C2516F44A96ABF2E35BCBCE0809BA4
Malicious:	false
Preview:	MDMP....... ........$.`...................U...........B..............GenuineIntelW...........T.......p...U#.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER92B7.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8396
Entropy (8bit):	3.6902989247590705
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiBs6ej6YScSUhII9AgmfDHS1tCpBj89benDsfcKm:RrlsNiq6ej6Y5SUhIIKgmfbS1jenofg
MD5:	BB99E9533D5D06BBDF02132C50BA803D
SHA1:	3FA246A35B67B08B02F8FFB0EDFACB44057A1DDD
SHA-256:	D2548A0CC64A970679B00B8D93728348FBF7803A8BE3647737614937795BDF25
SHA-512:	40DE23583A99DE5F9E4F80668EC678F3F6FF92812FF27E992EDD05849A87E9E4F10670613DF388BC0D6ED26BC567E1CB715DAA9A050D85A81EC187416F8814CF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.4.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9383.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4694
Entropy (8bit):	4.435034624349751
Encrypted:	false
SSDEEP:	48:cvIwSD8zswJgtWI9CMWSC8Be8fm8M4JVtN4fFpv+q8v7tN4FKcQIcQw6Uredd:uITf25lSNNJvN4nvKpN4FKkw68edd
MD5:	0BD45C47BF6D1E098B10F78A1ADEE1C8
SHA1:	51C1DB07CA4DADFE3582629839FEE8ED48AB4D7F
SHA-256:	0BAF84C29146615B2223009D1EC1EE3733AEB93941371F2A0545D58E062B0364
SHA-512:	FEC80CD0D15836724BB83070861186943BAB6A547167EC3F81AC16FED6EB28AA5F03AEE0C62D5D02E8B685C0C42E9F8B617E5A6254C7200E13E99B35FC5C765E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975720" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9475.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:48:05 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	52760
Entropy (8bit):	2.2713207437159366
Encrypted:	false
SSDEEP:	192:+yO0BNeqtlOFdnZn0jqRGVLV49s27TEeyGMVVsinsalBr:YqtSd+mkLVEt7TEeyJVmCs6r
MD5:	0158233AA18C40E0BBCD39837FEB5D5D
SHA1:	C6EB0B4F2FF0D8CBF1A76AD05622336A2C802FAB
SHA-256:	62020EC0A58AE7356328D7E580BB9DB8CCCD38D37FF33C39B63D7A888A922C85
SHA-512:	E0DB4455F18ABEF7B02D17B9D2F1AD8D33526412D0BEC9F12170F52C969E06A3EF472D681A84ABAD95DEAD155B13EB390431A90C15923912C221EDCAC81B9FEF
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B....... ......GenuineIntelW...........T...........V#.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99F4.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8306
Entropy (8bit):	3.7004534107746396
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqx6b6Y4m68B5qGgmfTHPSXKCprr89b+n8sftqm:RrlsNi06b6YB6SFgmfTHPSO+nPfB
MD5:	AD73147E83A8B36DE9D935D5CE911823
SHA1:	DF16B467E65CA9C0A643F9804EB6C8C9070B53B8
SHA-256:	F4D62A14653CB4E59397969C2FFA45DED665B5D81019DCFDE9B7ECB4142C4A3C
SHA-512:	262CC348288C079A06EF4091F5DC7788CFD83298B73286109F9A87E91798A084F12F3DA818E2A4531CB1F2F3A114BD47D29F5AE38EE6B07A3C782C1CF25F360E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B0E.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4679
Entropy (8bit):	4.513029588501548
Encrypted:	false
SSDEEP:	48:cvIwSD8zsHJgtWI9CMWSC8Bz8fm8M4JCdsrZFhP+q8/3U1I4SrST6d:uITfp5lSNGJptPviDWT6d
MD5:	D61212A49486E903CFAC41FC43FA4ED4
SHA1:	C3C62001AAE23F5B41B9D51C2CB09D7324128AFD
SHA-256:	DF121DBD32906946328BE2F2A5125959FBCDDC7C35348ED471F3B291B5D9D4BB
SHA-512:	E17A119D3AF7D22356AC11561061445DFD9DCD9E09F37E0CEEF380D41E12BF9B3AC78DFD8F65A966A15E666FF0C68C303AA33BABE637D085BD00BE572BB2B87D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975718" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC14.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed May 5 04:48:11 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	56348
Entropy (8bit):	2.2519262948222085
Encrypted:	false
SSDEEP:	192:6E+cRT3TN2/7R3nyB/980h3AMYdaIO/QvTUvIiXJ0hX0OP5VO:5nzTN2TR3y5mGYcIpKxaLP5w
MD5:	0BF06EC1B7F66D4DC691E02654A3903C
SHA1:	6349B392A4998CF2980617C37A8B9DF3F167F7B5
SHA-256:	6EA0767B7C036D9A06F8577540E65C7BC899129C4E5805DDE3A36EE6D3EAE738
SHA-512:	BD1E58BC5B269053CFA0F208ECD68E7B8D2422408B3B547C3992CFCF66171876ADDE9BD1A18102690D9CCBA6F3D2C2C139FA4F1F97EA4590CD9B60ED852DD476
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B......."......GenuineIntelW...........T...........V#.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0C8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8380
Entropy (8bit):	3.694319472688357
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiEG6X6YRZ6RNTogmf83HS/CpBSy89b7nrsfoGpm:RrlsNiN6X6Y/6bTogmf83SfL7nwfo5
MD5:	F1AE422E7885757B141538712276A4AF
SHA1:	6EB97024B123C7BF5F5613F8572E406A67C83143
SHA-256:	A8E5A24E5139CDD147D083B0BB222B061A0F1F858697BBF505FA91B5975CA3C5
SHA-512:	294538C6C8963984CE9D4E6FE4B63B3FEA755A77AC2339DAC0812A62BE6214CFD6BBF61ED3E9AB74428F5E4B6C014250648139CE91E2962647E51881316EA0DA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.7.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB201.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4766
Entropy (8bit):	4.461945087016917
Encrypted:	false
SSDEEP:	48:cvIwSD8zsHJgtWI9CMWSC8BO8fm8M4JCdstN4fFk0+q8vjstN4GCI4SrSRd:uITfp5lSN9JfN4+0K2N4KDWRd
MD5:	E40225169749E2120E155CC0DAB629E8
SHA1:	7A36DFE0110FC29707E678A61737C1F6A7D9612D
SHA-256:	6587F41FD60B406CF1A41BB371EB9C77C69A4CE166259359ED0D154C682CA0E8
SHA-512:	DB1CF650AEC36129563F49C686C11E446B3FEE506C7CFBF437EC4A65B7F9BD9AAFA9F748EBB7F80A8F3796E5C4EBAD59A2D34717FF5542537E0C60525177EB62
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975718" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE0C.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:49:35 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	47588
Entropy (8bit):	2.2647666627151417
Encrypted:	false
SSDEEP:	192:8zBH1/JIJ0stBYJDM1A4hEaBqAWVb5kc+VPmvfJDouG:w1/WtgM1euqlb5J+NmvWt
MD5:	C624C54975037695AADBA22E667207AD
SHA1:	DA9F2E04A7C603298C4D5684C5192F4B76D75383
SHA-256:	A4615F4D24E5F6D2A7E9FAA4472666364044C396461DEE7769D92958AEDD5D8A
SHA-512:	DEAC489676BC295E026E6709275D228229035F4E08A5F5F0B02B9E49B48AF251D456D8AAB11E2AD89E4EF6F7F8F9F015DC85F24C1F2DE8F2534753D63E4D3655
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B....... ......GenuineIntelW...........T............#.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE918.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:49:36 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46464
Entropy (8bit):	2.207242542737921
Encrypted:	false
SSDEEP:	192:3pyDkqZe1c439RJegD4/fEaBqAWVb5LcDIkN4rt3gQaynwyJ:ZMkqZeS439RJPE0uqlb5gDIG4r1aShJ
MD5:	74DE84F9202BA5BEE0F4C45A1C83A607
SHA1:	F19BD0CE5F2D889351AC012058872D7A0D326361
SHA-256:	74708AE80A0129781BFE633294AB697B51FB8B33720E5A5EF51255D2A1176D0F
SHA-512:	8BD1E85FC3D18D0B6CDF7353BA84983FDD22A0AED26F7BB4CA9DCEFF41B2893B2772ACE8E0F7E877FABE3165C4DAE1CC4D0DFAD50C031C3DB0130F206C1A31FF
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B....... ......GenuineIntelW...........T.......`....#.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA01.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.7013565765270364
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi7w646YRd61TNgmfTHPSXKCprv89bXvsf8q9m:RrlsNis646Yr61TNgmfTHPSyXUfo
MD5:	DF0A87E60A28F36ABD606931DBC3347A
SHA1:	BDC331AC040BF0340B73E742B3C995B6D73589B7
SHA-256:	20646263FD9765D6E252A9E6E815411E804D3287779CB9B82828AFC3906921DE
SHA-512:	C38F558AF12539B47DDF249CFFD665C2606513D3854011FBEDE1E2EB2EC7DAEBB645675E9EDC97DD94CDA23025C039FDB82E7D71B66E4067F0EBF835BDC9693E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB98.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4679
Entropy (8bit):	4.51187397978779
Encrypted:	false
SSDEEP:	48:cvIwSD8zswJgtWI9CMWSC8Ba8fm8M4JCdsrZFPQ3s+q8/3Ut4SrSOd:uITf25lSNNJpLFvtDWOd
MD5:	7DDF29239C186EAED68CB11663BF94E0
SHA1:	4A10C720E62A1C60D984ED7FF1C8CFF35AEC64E0
SHA-256:	7D35A65EA3F4603763BA4A4E2154331496F9473C9A4C397C1B55C8C2F08A0E2F
SHA-512:	B8C58522BD6FC67DCA0BC13F4EA2870CF811B27569630BADCD84188807428E1068740C46BEE0714D0C4666647F5F8C23E0BEA08D285467A19E9750D30B39556B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975720" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD3D.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8382
Entropy (8bit):	3.697676034716634
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipbo6dQW6YRk61TNgmf8eS0Cpr089bXPsfZv9m:RrlsNipU6D6YS61TNgmf8eS9X0fC
MD5:	629236D79FB79E55D60E71CE9999CED2
SHA1:	96CAE27EA52419B01C9E8CD2FBB17B2FF0FBA6D3
SHA-256:	DB6A18CB1CD727BA3660AA5F873F3027A96B0873F287AA02F36D46DB310074CF
SHA-512:	FF51CA2ED5D7A5EBACB5A2320865AFEBE5722B9098E77C18EFF7E6B18CD9AB3D94EA683A7C5E34FB8B558248EAE9E075E33C54D4F63AFD6F3DF2A3F68257E77F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.8.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD9A.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:49:38 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	39812
Entropy (8bit):	2.4677851683162455
Encrypted:	false
SSDEEP:	192:Kwg9rU538iYqtTUKocLM/7VrIBlw6bihWf4nW:hgVnqKOC8HvihVW
MD5:	6E4D42CBA822457AB2C9BF76AFBD2A87
SHA1:	44E60FA16B87D126D49B2E91C22D068E9AB8D3B8
SHA-256:	408509B2CE2759EF0D66DA593008AD1B3CEC919E68EDF0973DC78B76D7398FBC
SHA-512:	E42D51468E202B349E02753A6528E1FA459C550931518EA83ECCD089DB4A219ECDCC187EBB8B343027A60FF04CB32E0FEE735E8CD5EF2BD7AE5464F7A5371C33
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B......P ......GenuineIntelW...........T....... ....#.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE07.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:49:38 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	41660
Entropy (8bit):	2.403405146292841
Encrypted:	false
SSDEEP:	192:FWQS1jvp1XqQB15lR2khWUKocLM/7VrI4NHINYvrwxL9nn:hS1znnjFOC88kYKL9n
MD5:	3546256C4B742FB4B690D4C4B092ADBC
SHA1:	7E9842F533976E6A63C6D6AC9D1045EF989EFDA0
SHA-256:	00E7801DF84931FB42EF7F0A6484ED0A4006D480CFC41F4599C575FED5E7916E
SHA-512:	0330E441EC9268DEA42926C58981C4B69BEBD251887557E5C58B537B1FD78E25B220CC3D99997F5EC44E76D0671D66AA0BFDD38CB1B27B28C5E5F51519FED469
Malicious:	false
Preview:	MDMP....... ........#.`...................U...........B......P ......GenuineIntelW...........T............#.`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE38.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	4.486746150131345
Encrypted:	false
SSDEEP:	48:cvIwSD8zswJgtWI9CMWSC8Bm8fm8M4JCds0MF9+q8vjs0K4SrSsd:uITf25lSNBJyQKtKDWsd
MD5:	2F3A01531E832F9E3B5F3EBCA8560B49
SHA1:	7FD083A88E658EB16BA411FCE38CED19E0366C45
SHA-256:	E8FFC2A0E1438FE2CD751EC38A18A122633B002F64FACA65D83D21C05B93C7B1
SHA-512:	077CA44840F6E45262CF109B54C974479B73D3D38799540519A018B49AC171B5433212831E09FB66A4C368C51E0578527D3906366E8E03D52828A8C22FD824DC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975720" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.536014050371126
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	b8fe43e6_by_Libranalysis.dll
File size:	164864
MD5:	b8fe43e6e418db516c1deda8d2b1e8d0
SHA1:	d6901a2528977ed284f9e6808a73029371cd2ecc
SHA256:	6ea1efc4c1dd494c71fbfb23ea1fdc5530f9cbb6602993d96a74a7b014a96ee3
SHA512:	276f9e3def3a672d78128ec30c5fd48ec2946c344d0704c7f80f911f9e3f0f980b30bd486b1b1d8c15f9572f6fabeb0b7627bab785352fe80ef844632aef6ddd
SSDEEP:	3072:sk2X+QFg3UutDvUvoU8pz6EJEEhu6Tzace9kuaGA81/YXKHML/vp8AF:yG3rUvoU4JE/Wzan9T7B/CKsL/vy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x100241a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60903ADD [Mon May 3 18:03:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f108efab351dd21acb187c36805c5bbe

Entrypoint Preview

Instruction
mov edx, eax
xor eax, eax
add eax, 00002233h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp eax, 01h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Rich Headers

Programming Language:

[RES] VS2012 UPD3 build 60610
[LNK] VS2005 build 50727
[EXP] VS2005 build 50727
[ C ] VS2012 UPD4 build 61030
[IMP] VS2013 UPD2 build 30501

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x27730	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x27804	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x1220
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10018	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23b14	0x23400	False	0.759010693706	data	7.5511794748	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2ab4	0x2c00	False	0.770685369318	data	7.47874664505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x336c	0x1800	False	0.78564453125	MMDF mailbox	7.42299069747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x3a0	0x400	False	0.4091796875	data	3.06807977608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x258	0x400	False	0.5263671875	data	4.16057022331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x33c	data

Imports

DLL	Import
msvcrt.dll	memset
ADVAPI32.dll	RegOverridePredefKey
ole32.dll	CreatePointerMoniker, CreateStreamOnHGlobal
USER32.dll	TranslateMessage
OPENGL32.dll	glTexSubImage1D
KERNEL32.dll	CloseHandle, OutputDebugStringA, LoadLibraryExW, CreateFileW, GetProfileSectionW, LoadLibraryW, GetProfileSectionA, OpenSemaphoreW
RASAPI32.dll	RasGetConnectionStatistics
CLUSAPI.dll	ClusterEnum

Exports

Name	Ordinal	Address
LoxmtYt	1	0x10027776

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	j2pcsc
FileVersion	8.0.1710.11
Full Version	1.8.0_171-b11
CompanyName	Oracle Corporation
ProductName	Java(TM) Platform SE 8
ProductVersion	8.0.1710.11
FileDescription	Java(TM) Platform SE binary
OriginalFilename	j2pcsc.dll
Translation	0x0000 0x04b0

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 21:47:10.513834953 CEST	52238	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:10.562426090 CEST	53	52238	8.8.8.8	192.168.2.3
May 4, 2021 21:47:11.288100004 CEST	49873	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:11.336699009 CEST	53	49873	8.8.8.8	192.168.2.3
May 4, 2021 21:47:12.193219900 CEST	53196	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:12.242830038 CEST	53	53196	8.8.8.8	192.168.2.3
May 4, 2021 21:47:13.072216988 CEST	56777	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:13.123243093 CEST	53	56777	8.8.8.8	192.168.2.3
May 4, 2021 21:47:14.234678984 CEST	58643	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:14.294538975 CEST	53	58643	8.8.8.8	192.168.2.3
May 4, 2021 21:47:15.158169985 CEST	60985	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:15.211030006 CEST	53	60985	8.8.8.8	192.168.2.3
May 4, 2021 21:47:16.009810925 CEST	50200	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:16.068655014 CEST	53	50200	8.8.8.8	192.168.2.3
May 4, 2021 21:47:16.982290030 CEST	51281	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:17.031006098 CEST	53	51281	8.8.8.8	192.168.2.3
May 4, 2021 21:47:18.049487114 CEST	49199	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:18.098499060 CEST	53	49199	8.8.8.8	192.168.2.3
May 4, 2021 21:47:19.082519054 CEST	50620	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:19.132920027 CEST	53	50620	8.8.8.8	192.168.2.3
May 4, 2021 21:47:50.077451944 CEST	64938	53	192.168.2.3	8.8.8.8
May 4, 2021 21:47:50.228658915 CEST	53	64938	8.8.8.8	192.168.2.3
May 4, 2021 21:48:03.933945894 CEST	60152	53	192.168.2.3	8.8.8.8
May 4, 2021 21:48:03.984332085 CEST	53	60152	8.8.8.8	192.168.2.3
May 4, 2021 21:48:05.810849905 CEST	57544	53	192.168.2.3	8.8.8.8
May 4, 2021 21:48:05.859726906 CEST	53	57544	8.8.8.8	192.168.2.3
May 4, 2021 21:48:06.234451056 CEST	55984	53	192.168.2.3	8.8.8.8
May 4, 2021 21:48:06.294487000 CEST	53	55984	8.8.8.8	192.168.2.3
May 4, 2021 21:48:09.548558950 CEST	64185	53	192.168.2.3	8.8.8.8
May 4, 2021 21:48:09.600003004 CEST	53	64185	8.8.8.8	192.168.2.3
May 4, 2021 21:48:11.579992056 CEST	65110	53	192.168.2.3	8.8.8.8
May 4, 2021 21:48:11.629723072 CEST	53	65110	8.8.8.8	192.168.2.3
May 4, 2021 21:48:13.353601933 CEST	58361	53	192.168.2.3	8.8.8.8
May 4, 2021 21:48:13.404401064 CEST	53	58361	8.8.8.8	192.168.2.3
May 4, 2021 21:49:12.177429914 CEST	63492	53	192.168.2.3	8.8.8.8
May 4, 2021 21:49:12.226418018 CEST	53	63492	8.8.8.8	192.168.2.3
May 4, 2021 21:49:28.486131907 CEST	60831	53	192.168.2.3	8.8.8.8
May 4, 2021 21:49:28.536700964 CEST	53	60831	8.8.8.8	192.168.2.3
May 4, 2021 21:49:36.950227976 CEST	60100	53	192.168.2.3	8.8.8.8
May 4, 2021 21:49:37.002782106 CEST	53	60100	8.8.8.8	192.168.2.3
May 4, 2021 21:49:37.591083050 CEST	53195	53	192.168.2.3	8.8.8.8
May 4, 2021 21:49:37.641452074 CEST	53	53195	8.8.8.8	192.168.2.3
May 4, 2021 21:49:37.702224970 CEST	50141	53	192.168.2.3	8.8.8.8
May 4, 2021 21:49:37.753871918 CEST	53	50141	8.8.8.8	192.168.2.3
May 4, 2021 21:49:39.274626017 CEST	53023	53	192.168.2.3	8.8.8.8
May 4, 2021 21:49:39.324827909 CEST	53	53023	8.8.8.8	192.168.2.3
May 4, 2021 21:49:39.735467911 CEST	49563	53	192.168.2.3	8.8.8.8
May 4, 2021 21:49:39.786880016 CEST	53	49563	8.8.8.8	192.168.2.3
May 4, 2021 21:50:16.188381910 CEST	51352	53	192.168.2.3	8.8.8.8
May 4, 2021 21:50:16.240567923 CEST	53	51352	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 3440 Parent PID: 5664

General

Start time:	21:47:17
Start date:	04/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll'
Imagebase:	0xdb0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 748 Parent PID: 3440

General

Start time:	21:47:18
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4872 Parent PID: 3440

General

Start time:	21:47:18
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll,LoxmtYt
Imagebase:	0xf90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4308 Parent PID: 748

General

Start time:	21:47:18
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',#1
Imagebase:	0xf90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.319669645.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exe PID: 5256 Parent PID: 4308

General

Start time:	21:48:02
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 760
Imagebase:	0x50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 5804 Parent PID: 4872

General

Start time:	21:48:09
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 928
Imagebase:	0x50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5012 Parent PID: 3440

General

Start time:	21:48:11
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllCanUnloadNow
Imagebase:	0xf90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.508405048.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5984 Parent PID: 3440

General

Start time:	21:48:11
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',DllGetClassObject
Imagebase:	0xf90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.509454632.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5408 Parent PID: 3440

General

Start time:	21:48:11
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddFileToInstance
Imagebase:	0xf90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.512489931.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 4868 Parent PID: 3440

General

Start time:	21:48:12
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiAddParameter
Imagebase:	0xf90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.513324135.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 2992 Parent PID: 3440

General

Start time:	21:48:12
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\b8fe43e6_by_Libranalysis.dll',WdiCancel
Imagebase:	0xf90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.505756712.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exe PID: 5584 Parent PID: 5012

General

Start time:	21:49:24
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 756
Imagebase:	0x50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 4180 Parent PID: 5984

General

Start time:	21:49:28
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 756
Imagebase:	0x50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 1540 Parent PID: 5408

General

Start time:	21:49:35
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 756
Imagebase:	0x50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 5040 Parent PID: 4868

General

Start time:	21:49:35
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 756
Imagebase:	0x50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 1968 Parent PID: 3440

General

Start time:	21:50:13
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 592
Imagebase:	0x1050000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report b8fe43e6_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 3440 Parent PID: 5664

General