Loading ...

Play interactive tourEdit tour

Analysis Report f845ef61_by_Libranalysis

Overview

General Information

Sample Name:f845ef61_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:404282
MD5:f845ef6120dfd5a421786e9d818c9ddb
SHA1:0517da7604bec2311002f113938660db1a7c7c98
SHA256:26af94089c064eafa3025ac20749882f18213bf8608147a2b842e55e13d7c688
Tags:Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6560 cmdline: loaddll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6580 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6624 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6612 cmdline: rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 888 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 340 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 988 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6028 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5876 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6136 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5652 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6236 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "gVWbIbse4LncmZTrtE5bhEEfziocKyUXoiF1kB3a8v5ucqsS91u1M39nZYKpCWBaZM8JOlA1"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.593134823.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000011.00000002.593304791.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      0000000F.00000002.590448594.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000012.00000002.594741649.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          0000000E.00000002.605551680.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              14.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                16.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  18.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    17.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.rundll32.exe.10000000.3.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "gVWbIbse4LncmZTrtE5bhEEfziocKyUXoiF1kB3a8v5ucqsS91u1M39nZYKpCWBaZM8JOlA1"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: f845ef61_by_Libranalysis.dllMetadefender: Detection: 21%Perma Link
                      Source: f845ef61_by_Libranalysis.dllReversingLabs: Detection: 23%
                      Machine Learning detection for sampleShow sources
                      Source: f845ef61_by_Libranalysis.dllJoe Sandbox ML: detected
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: winspool.pdba% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.434205216.0000000004E75000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.437623888.0000000002A82000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.558772594.0000000004597000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.435060985.0000000002F40000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438760333.0000000002A7C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbE% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb[% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.434470631.0000000002F4C000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438229075.0000000002A88000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdbp source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb.LK source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb2LG source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbI% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb]% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593519957.0000000004DF5000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb7 source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb% source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbW% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb|0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbC% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: FGERN.pdb source: f845ef61_by_Libranalysis.dll
                      Source: Binary string: dwmapi.pdb(LM source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.434230037.0000000002F46000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.437623888.0000000002A82000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdbCC source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbs source: WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.602833822.00000000023D2000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdbm source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbp source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593519957.0000000004DF5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdbk source: WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbL0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb*0!% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb$LQ source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.435060985.0000000002F40000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438760333.0000000002A7C000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb<Ly source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbs source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbz0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000D.00000003.436771504.0000000002A76000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdbg source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb,0+% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdba source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbh0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.434470631.0000000002F4C000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438229075.0000000002A88000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdbeN source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdbF^ source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 193.200.130.181:443
                      Source: Malware configuration extractorIPs: 95.138.161.226:2303
                      Source: Malware configuration extractorIPs: 167.114.113.13:4125
                      Source: Joe Sandbox ViewIP Address: 167.114.113.13 167.114.113.13
                      Source: Joe Sandbox ViewIP Address: 95.138.161.226 95.138.161.226
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: RACKSPACE-LONGB RACKSPACE-LONGB

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 00000010.00000002.593134823.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.593304791.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.590448594.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.594741649.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.605551680.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1001146014_2_10011460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000846C14_2_1000846C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000149414_2_10001494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000A52C14_2_1000A52C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10011D5814_2_10011D58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1001934814_2_10019348
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1001075414_2_10010754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_100090CC14_2_100090CC
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 764
                      Source: f845ef61_by_Libranalysis.dllBinary or memory string: OriginalFilenamej2pcsc.dllN vs f845ef61_by_Libranalysis.dll
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@24/16@0/4
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6560
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess340
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6612
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6624
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA522.tmpJump to behavior
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
                      Source: f845ef61_by_Libranalysis.dllMetadefender: Detection: 21%
                      Source: f845ef61_by_Libranalysis.dllReversingLabs: Detection: 23%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 764
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 888
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 604
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYtJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNowJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObjectJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstanceJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameterJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancelJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760Jump to behavior
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: winspool.pdba% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.434205216.0000000004E75000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.437623888.0000000002A82000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.558772594.0000000004597000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.435060985.0000000002F40000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438760333.0000000002A7C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbE% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb[% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.434470631.0000000002F4C000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438229075.0000000002A88000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdbp source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb.LK source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb2LG source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbI% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb]% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593519957.0000000004DF5000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb7 source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb% source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbW% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb|0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbC% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: FGERN.pdb source: f845ef61_by_Libranalysis.dll
                      Source: Binary string: dwmapi.pdb(LM source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.434230037.0000000002F46000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.437623888.0000000002A82000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdbCC source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbs source: WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.602833822.00000000023D2000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdbm source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbp source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593519957.0000000004DF5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdbk source: WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbL0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb*0!% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb$LQ source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.435060985.0000000002F40000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438760333.0000000002A7C000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb<Ly source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbs source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbz0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000D.00000003.436771504.0000000002A76000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdbg source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb,0+% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdba source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbh0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.434470631.0000000002F4C000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438229075.0000000002A88000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdbeN source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdbF^ source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000F6CC push esi; mov dword ptr [esp], 00000000h14_2_1000F6CD
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.56345314972
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                      Source: WerFault.exe, 0000000B.00000002.604193896.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.605983948.0000000004E80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: WerFault.exe, 0000000B.00000002.602500515.0000000004D70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 0000000B.00000002.604193896.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.605983948.0000000004E80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: WerFault.exe, 0000000B.00000002.604193896.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.605983948.0000000004E80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: WerFault.exe, 0000000B.00000002.604193896.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.605983948.0000000004E80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,14_2_10006D50