Loading ...

Play interactive tourEdit tour

Analysis Report f845ef61_by_Libranalysis

Overview

General Information

Sample Name:f845ef61_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:404282
MD5:f845ef6120dfd5a421786e9d818c9ddb
SHA1:0517da7604bec2311002f113938660db1a7c7c98
SHA256:26af94089c064eafa3025ac20749882f18213bf8608147a2b842e55e13d7c688
Tags:Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6560 cmdline: loaddll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6580 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6624 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6612 cmdline: rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 888 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 340 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 988 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6028 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5876 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6136 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5652 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6236 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "gVWbIbse4LncmZTrtE5bhEEfziocKyUXoiF1kB3a8v5ucqsS91u1M39nZYKpCWBaZM8JOlA1"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.593134823.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000011.00000002.593304791.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      0000000F.00000002.590448594.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000012.00000002.594741649.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          0000000E.00000002.605551680.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              14.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                16.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  18.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    17.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.rundll32.exe.10000000.3.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "gVWbIbse4LncmZTrtE5bhEEfziocKyUXoiF1kB3a8v5ucqsS91u1M39nZYKpCWBaZM8JOlA1"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: f845ef61_by_Libranalysis.dllMetadefender: Detection: 21%Perma Link
                      Source: f845ef61_by_Libranalysis.dllReversingLabs: Detection: 23%
                      Machine Learning detection for sampleShow sources
                      Source: f845ef61_by_Libranalysis.dllJoe Sandbox ML: detected
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: winspool.pdba% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.434205216.0000000004E75000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.437623888.0000000002A82000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.558772594.0000000004597000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.435060985.0000000002F40000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438760333.0000000002A7C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbE% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb[% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.434470631.0000000002F4C000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438229075.0000000002A88000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdbp source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb.LK source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb2LG source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbI% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb]% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593519957.0000000004DF5000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb7 source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb% source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbW% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb|0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbC% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: FGERN.pdb source: f845ef61_by_Libranalysis.dll
                      Source: Binary string: dwmapi.pdb(LM source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.434230037.0000000002F46000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.437623888.0000000002A82000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdbCC source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbs source: WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.602833822.00000000023D2000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdbm source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbp source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593519957.0000000004DF5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdbk source: WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbL0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb*0!% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb$LQ source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.435060985.0000000002F40000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438760333.0000000002A7C000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb<Ly source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbs source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbz0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000D.00000003.436771504.0000000002A76000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdbg source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb,0+% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdba source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbh0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.434470631.0000000002F4C000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438229075.0000000002A88000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdbeN source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdbF^ source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 193.200.130.181:443
                      Source: Malware configuration extractorIPs: 95.138.161.226:2303
                      Source: Malware configuration extractorIPs: 167.114.113.13:4125
                      Source: Joe Sandbox ViewIP Address: 167.114.113.13 167.114.113.13
                      Source: Joe Sandbox ViewIP Address: 95.138.161.226 95.138.161.226
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: RACKSPACE-LONGB RACKSPACE-LONGB

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 00000010.00000002.593134823.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.593304791.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.590448594.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.594741649.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.605551680.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10011460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000846C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10001494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000A52C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10011D58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10019348
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10010754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_100090CC
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 764
                      Source: f845ef61_by_Libranalysis.dllBinary or memory string: OriginalFilenamej2pcsc.dllN vs f845ef61_by_Libranalysis.dll
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@24/16@0/4
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6560
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess340
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6612
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6624
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA522.tmpJump to behavior
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
                      Source: f845ef61_by_Libranalysis.dllMetadefender: Detection: 21%
                      Source: f845ef61_by_Libranalysis.dllReversingLabs: Detection: 23%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 764
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 888
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 604
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: f845ef61_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: winspool.pdba% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.434205216.0000000004E75000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.437623888.0000000002A82000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.558772594.0000000004597000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.435060985.0000000002F40000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438760333.0000000002A7C000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbE% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb[% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.434470631.0000000002F4C000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438229075.0000000002A88000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdbp source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb.LK source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb2LG source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbI% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb]% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593519957.0000000004DF5000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb7 source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb% source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbW% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp
                      Source: Binary string: dwmapi.pdb|0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbC% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: FGERN.pdb source: f845ef61_by_Libranalysis.dll
                      Source: Binary string: dwmapi.pdb(LM source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.434230037.0000000002F46000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.437623888.0000000002A82000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: ole32.pdbCC source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbs source: WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: a/pjr2pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000D.00000002.602833822.00000000023D2000.00000004.00000001.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdbm source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbp source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593519957.0000000004DF5000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdbk source: WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbL0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb*0!% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596557954.0000000004962000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb$LQ source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.435060985.0000000002F40000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438760333.0000000002A7C000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596797767.0000000004960000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb<Ly source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbs source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593173201.0000000004DF2000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbz0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000D.00000003.436771504.0000000002A76000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdbg source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb,0+% source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdba source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbh0 source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.440503440.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593477740.0000000004DF0000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.434470631.0000000002F4C000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.438229075.0000000002A88000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdbeN source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdbF^ source: WerFault.exe, 00000014.00000003.596847466.0000000004968000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.440529525.00000000052D6000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.593251198.0000000004DF8000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.440473246.0000000005301000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.593009404.0000000004CC1000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596512885.0000000004B51000.00000004.00000001.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_1000F6CC push esi; mov dword ptr [esp], 00000000h
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.56345314972
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
                      Source: WerFault.exe, 0000000B.00000002.604193896.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.605983948.0000000004E80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: WerFault.exe, 0000000B.00000002.602500515.0000000004D70000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 0000000B.00000002.604193896.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.605983948.0000000004E80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: WerFault.exe, 0000000B.00000002.604193896.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.605983948.0000000004E80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: WerFault.exe, 0000000B.00000002.604193896.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.605983948.0000000004E80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Disable or Modify Tools1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404282 Sample: f845ef61_by_Libranalysis Startdate: 04/05/2021 Architecture: WINDOWS Score: 76 33 95.138.161.226 RACKSPACE-LONGB United Kingdom 2->33 35 167.114.113.13 OVHFR Canada 2->35 37 193.200.130.181 CLOUD-MANAGEMENT-LLCUS unknown 2->37 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Dridex unpacked file 2->45 47 2 other signatures 2->47 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 51 Tries to detect sandboxes / dynamic malware analysis system (file name check) 9->51 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        17 rundll32.exe 9->17         started        19 5 other processes 9->19 process6 signatures7 21 rundll32.exe 12->21         started        53 Tries to detect sandboxes / dynamic malware analysis system (file name check) 14->53 24 WerFault.exe 2 9 14->24         started        26 WerFault.exe 14->26         started        28 WerFault.exe 9 17->28         started        process8 signatures9 49 Tries to detect sandboxes / dynamic malware analysis system (file name check) 21->49 30 WerFault.exe 23 9 21->30         started        process10 dnsIp11 39 192.168.2.1 unknown unknown 30->39

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      f845ef61_by_Libranalysis.dll21%MetadefenderBrowse
                      f845ef61_by_Libranalysis.dll23%ReversingLabsWin32.Trojan.Emotet
                      f845ef61_by_Libranalysis.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      17.2.rundll32.exe.2c20000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.29d0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.rundll32.exe.2d30000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.rundll32.exe.2dc0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.rundll32.exe.2f30000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.rundll32.exe.27f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      167.114.113.13
                      unknownCanada
                      16276OVHFRtrue
                      95.138.161.226
                      unknownUnited Kingdom
                      15395RACKSPACE-LONGBtrue
                      193.200.130.181
                      unknownunknown
                      42960CLOUD-MANAGEMENT-LLCUStrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:32.0.0 Black Diamond
                      Analysis ID:404282
                      Start date:04.05.2021
                      Start time:21:32:46
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 19s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:f845ef61_by_Libranalysis (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:31
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal76.troj.evad.winDLL@24/16@0/4
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 59% (good quality ratio 53.6%)
                      • Quality average: 75.8%
                      • Quality standard deviation: 32.5%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      Warnings:
                      Show All
                      • Report size exceeded maximum capacity and may have missing behavior information.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      21:34:28API Interceptor1x Sleep call for process: loaddll32.exe modified
                      21:35:43API Interceptor2x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      167.114.113.13e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                        8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                          d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                            9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                              edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                  64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                    8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                        c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                          9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                            457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                              edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                  af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                      c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                        c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                          b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                            af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                              95.138.161.226fc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                    d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                        edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                          457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                            64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                              8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                  c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                    9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                        edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                          b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                            af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                              64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                  c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                    b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse

                                                                                                      Domains

                                                                                                      No context

                                                                                                      ASN

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      RACKSPACE-LONGBfc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      OVHFRfc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_dce71326267e822e1c117e5eaeaff0826af57120_82810a17_0392d5b3\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12690
                                                                                                      Entropy (8bit):3.767778819020176
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:kcih0oXFt/HBUZMX4jed+4tgR/u7szS274ItWcO:XiPX/BUZMX4jeW/u7szX4ItWcO
                                                                                                      MD5:1A675A02B2D952A07081366B13953813
                                                                                                      SHA1:DB3EC45C2752C24A54DD6F126518BC3C0A86BE5E
                                                                                                      SHA-256:B897D4A38EDB3991344F57BC6DC7393EC77CC22ED10DB2B3CF06ADA72D528450
                                                                                                      SHA-512:D7C67D5479C16B960B7160510BDA4FA665F78954C6EC91CC6145EF1D0B294A11ECA77F8EA9B7E8783DF240D7340A1257F920BCFAAA475D4710543BC7ADDA6148
                                                                                                      Malicious:false
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.2.9.3.9.7.3.6.8.0.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.2.9.4.3.9.8.6.7.8.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.e.1.5.7.9.5.-.a.b.a.3.-.4.a.1.6.-.a.6.1.e.-.a.2.d.4.7.a.8.9.2.2.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.3.8.1.f.9.d.-.8.9.e.7.-.4.6.6.4.-.9.9.9.5.-.1.9.0.6.6.d.5.6.0.0.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.5.4.-.0.0.0.1.-.0.0.1.7.-.c.8.5.0.-.b.3.e.e.6.7.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_dce71326267e822e1c117e5eaeaff0826af57120_82810a17_1bc6ccab\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12686
                                                                                                      Entropy (8bit):3.766455366876917
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Unoic0oXTt/HBUZMX4jed+4tgR/u7szS274ItWce:Uoi6XZBUZMX4jeW/u7szX4ItWce
                                                                                                      MD5:29B01924C6792CF69CEB2BD2D617CEF7
                                                                                                      SHA1:072BE39C401037DBBDE865B7F227F4A79F346DC1
                                                                                                      SHA-256:2090E17E58E62A915E344893761408B1D4E085B3A8228A3FD20C38F99564F63B
                                                                                                      SHA-512:44BF60C1A39AB0B7FA200E2CC4DB75687B08E3B1F4A7E04D69204E1E203D1DC2183881329A5DAD383DF74213B6AECC17E68204B169BC1DD172F015F1EA212766
                                                                                                      Malicious:false
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.2.8.6.7.3.6.9.8.1.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.2.9.4.0.3.3.0.5.5.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.e.b.2.1.d.e.-.9.f.b.c.-.4.c.3.6.-.b.7.3.b.-.f.2.4.5.2.c.a.7.e.7.e.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.9.9.9.8.b.0.-.8.a.e.f.-.4.1.5.d.-.b.1.1.a.-.a.0.9.e.1.7.c.a.1.d.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.e.0.-.0.0.0.1.-.0.0.1.7.-.f.a.1.0.-.d.2.d.3.6.7.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_b3c3f4fadd93feaae32432e12e4ecf43be5717_160cf2be_1812d69e\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4046
                                                                                                      Entropy (8bit):3.7583280900160005
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:7raExXyJy9hADR5FaM056tpXIQcQ6c6n+hcEZcw3P+a+z+HbHghR5Fpow2:PuFtFHUb+hjbjEt0
                                                                                                      MD5:D22053682F90E808288386BF897F77DD
                                                                                                      SHA1:41C846678F945C3A4BFAEE9DD1842B4BF0FCF617
                                                                                                      SHA-256:64A7B986F3CA6A88E7C2F9B8352EA1FB8856D47F9B3A708C217D55F43965BA04
                                                                                                      SHA-512:7E3D5ECB599CD971F496194FC94F40DF6930807F00AE6DCD64D9D302861A6A7526968796C7950D3B262F37ECEE87C8B35D098493483E7F7B76FB67604C413783
                                                                                                      Malicious:false
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.2.9.3.9.0.8.0.5.6.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.5.e.d.3.c.3.-.f.5.a.1.-.4.5.1.f.-.9.9.5.9.-.5.2.c.6.8.2.4.8.e.3.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.5.a.c.7.f.c.-.f.2.9.e.-.4.3.d.3.-.b.0.c.2.-.e.4.1.6.3.d.9.d.1.d.7.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.a.0.-.0.0.0.1.-.0.0.1.7.-.6.b.2.1.-.6.e.d.3.6.7.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.4././.0.4.:.1.0.:.5.0.:.5.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dcfe149c111a993ad25989825f5fd3b9a5561_82810a17_0c9ed15e\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12864
                                                                                                      Entropy (8bit):3.75628365190522
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:EziI0oXJtFHVzOMjed+4tA8/u7szS274It7c6:EziuXhVzOMje7/u7szX4It7c6
                                                                                                      MD5:399D22A77DF52C296F06CD7CBF6CFA98
                                                                                                      SHA1:28C79AD6486ED261A0CDC0DD20FBF52D5B98300A
                                                                                                      SHA-256:AAB752AB8EE03288291A36B4131C3AA327702D6E6E4603960EA6E7443EB9BB9E
                                                                                                      SHA-512:1FE363D67404DD04371B5D6E0C1E799B235A5DCD240A19DF9761382BAB56F8719E52A8C33BEAF939591C50CBF1AD7A26DAF3E0AF51E78D0B8B9E1C987E6B6B7E
                                                                                                      Malicious:false
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.2.8.7.2.1.9.7.9.1.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.0.4.9.0.a.6.-.2.9.a.e.-.4.1.3.4.-.a.f.b.3.-.b.1.0.4.c.a.7.e.0.9.a.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.e.2.4.e.9.4.-.8.3.3.c.-.4.a.4.3.-.b.6.b.9.-.7.9.2.7.3.4.c.7.0.1.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.d.4.-.0.0.0.1.-.0.0.1.7.-.2.e.c.b.-.c.d.d.3.6.7.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA522.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed May 5 04:34:29 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):45352
                                                                                                      Entropy (8bit):2.3362135494825385
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:A3SEOCB4HcUYBkkJ/HSMDBjmWt2dTothDnhE8UvcMXWOFo1u:yP4HcU7kt9jj2dTED+8UJmO60
                                                                                                      MD5:2596E1FF6402AA650158C594A73FE46E
                                                                                                      SHA1:FAFA97B727226F00A1DE826BCC01B3483B5484F5
                                                                                                      SHA-256:C6941025D4D6C4FAEDF87D3592254E16B84F59C5F4B4C6122A09059386F8A8B4
                                                                                                      SHA-512:510E20CDE69C369E6C9992C95CFA00590C97AF74C52A4A71C86B40D1A7B12110C1BC79DEED2A07A6570165C81CC0F6351386D92AA0AB8CF9CF81BEE4036580C4
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... .......U .`...................U...........B....... ......GenuineIntelW...........T...........& .`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERADBF.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8294
                                                                                                      Entropy (8bit):3.6959143638714216
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNiLB676Ygw6LBJSgmfTjt0S6Cprt89bKpsf8Om:RrlsNi9676Y/6d8gmfTuSIKCfc
                                                                                                      MD5:2F27C37A6CE25C20A6E1FC40626CF1B2
                                                                                                      SHA1:31D26FC5CF27C6B0F12A82BE70D6991C4F9005E1
                                                                                                      SHA-256:D413F08EF07EA420670CC5E22CDA105AB699115897C655BCF51A5C21F8D4E5A5
                                                                                                      SHA-512:335927C6F323B962C14FB32661A9EC223B078F8B86DC1C88CEB23D9708386D792D1E60631D88D339C7043B9BCC3D72A6E77153B3326DA720F4402D74F4A71A79
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.2.4.<./.P.i.d.>.......
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7FF.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 15 streams, Wed May 5 04:35:40 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):48900
                                                                                                      Entropy (8bit):2.3359886579543874
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:WEeEiIn6Nc7XASX8snXQZZ1ZtDntxQhyrDjhPnwb25x8:Vekn6KXA01nkZ130yrZPm2I
                                                                                                      MD5:F992D99ACC66A53B8DB4C44E9892B108
                                                                                                      SHA1:F9D840EABD0328972C8644DCDCBE031A395494AF
                                                                                                      SHA-256:DAD9BACAF18996650031CBE686293274C93AA9EC479594D94F252318536E2211
                                                                                                      SHA-512:1D8C9881F81BB5A25AE53EB4531CCE5E881240C1783F2FF0953A576C7464D10BF1387B5D3613C5975B8DAFE9D694DD1E49D8B470683861B260E7152F9E1DB6C2
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... ........ .`...................U...........B......."......GenuineIntelW...........T...........& .`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8AC.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4665
                                                                                                      Entropy (8bit):4.474751280442169
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zs5JgtWI9icWSC8B1N8fm8M4JCdsjN4xFawj+q8/SNGpY54SrS2d:uITfLRVSNKJxN4xBNGq5DW2d
                                                                                                      MD5:5E6B2B82E68EC14B0A2F25A277297EA6
                                                                                                      SHA1:3B4D22ADBB0A319A292A140F9B63F982E6060F72
                                                                                                      SHA-256:431546D089B0CF1AFE34BCA0749678B1163AE2903A613BB3266CEE291D2AF826
                                                                                                      SHA-512:3DA869BF35D4DA716ACF1EA9ECB5548D3F235B0B892A40DFF6D8C4D78E8D64B2E5975BB4029182D7AB4BF3AADB986ABD04A7A01163BC3E539F3DFE3D144E36E7
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975705" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD3A.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 15 streams, Wed May 5 04:35:42 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):40866
                                                                                                      Entropy (8bit):2.2913187559018526
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:o6/E8EGW724qCJNtnISBtftUgvAfAfjb5oW0tTGmxWClA:o8HH4Nt94Yfjb5oW0t6m4AA
                                                                                                      MD5:A791A082DAE953F2C7BA93206A231FD8
                                                                                                      SHA1:7426BEE53D5621F8797153B62B037886A3022E74
                                                                                                      SHA-256:82CB569E4919915520730CB54AFD58625B5D381323118EACE9B869B4C14547D1
                                                                                                      SHA-512:77B255799ABDFD5CBB0773B173526CC8ADD109443F116E37858529D97408A260316AB053EE5A787338972E6B8BF1B6131FF3C272DD295CC0345385BDCC9E5874
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... ........ .`...................U...........B..............GenuineIntelW...........T...........% .`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFCA.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed May 5 04:35:41 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):45800
                                                                                                      Entropy (8bit):2.339043348157492
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:44hBkWrXZnJrAgNOSMDBjmWt2dT6tcMsRRDXywMdknUN41:xjkqZnp1o9jj2dTDVXybkUe1
                                                                                                      MD5:2003843535EEB46700967E952F209DA6
                                                                                                      SHA1:2323909D2DF1BBB09ED0BB4F3F9AB631E5F5540B
                                                                                                      SHA-256:99E7EF9C162973B550979C71EC0F4F9A169DF71EDEFBE5808D4AEA510A3B2DC8
                                                                                                      SHA-512:9C04C056721474D81769515223FA43A83CE62E1620ACF47FEB3C7039C9026F71E7127307F763169F0AFDCF5EA4BD962BFEFC0A70E3686A5303E55A57CFB1D061
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... ........ .`...................U...........B....... ......GenuineIntelW...........T.......T...S .`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4EB.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8386
                                                                                                      Entropy (8bit):3.687452439650677
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNiuJ6W6YPq60dgmf8jtHSRCpBY89bsdsfZkm:RrlsNig6W6Yi60dgmf8xSOsWff
                                                                                                      MD5:412DD1CDBEDF541A6E9BC5F01DA2FBF2
                                                                                                      SHA1:80BE45976B9D86F5BEB9006E1128FF94B9CF3B71
                                                                                                      SHA-256:E9BE15CE9FCB5B810FE3BDA054016F5224B5EA56A3728C98203311925329DABA
                                                                                                      SHA-512:15AD5AB785DB5F9DBFD60577514017B0A9274989E0D4EB4BB142D2B4EA3CF245F5AD0622B551397282E6E7DADBCE493BEA25630123648ADF7FD033396F7ACA80
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.1.2.<./.P.i.d.>.......
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC98F.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8314
                                                                                                      Entropy (8bit):3.69403094936695
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNi6H6GIsA6YP+6HdgmfTjt0S6CprM89bnDsfANm:RrlsNiy6F6Ym6HdgmfTuSrnofH
                                                                                                      MD5:10C704259545178D5312AF491E4C3C6E
                                                                                                      SHA1:8CBFC514A1F1686643644126955E5E8A69F07FBD
                                                                                                      SHA-256:E108FA11BABA0A25C56E4BC096D25F64D6A11470CD6684DA8324566391B1436D
                                                                                                      SHA-512:A76C3F946C3C999F7BA81BBE1778014543129CB55A7EA3F85C11EF32EF283CD6A64911143D249B545B650DDB49062124FF8414583456E54A2A8EE83579DCDEBB
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.0.<./.P.i.d.>.........
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA89.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8402
                                                                                                      Entropy (8bit):3.6926431326651312
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNif36fd6YJDdSUaUgmfftHS1DCpBm89bn2sf7Nm:RrlsNif6fd6YPSUaUgmfNS12nVf8
                                                                                                      MD5:C2436AF33F48588BED9A9192EE8AE89F
                                                                                                      SHA1:4BD35F9312D6431C3CCE89485A19E82C6EEAEB62
                                                                                                      SHA-256:D34B1AD148AA7F5EA23A53114066D049CEDB047076983BBCED09CBC1A23B9BD0
                                                                                                      SHA-512:07825866B4F18C134C292154676BE2324A1E308AE15D1D0E9B50EF91AB86704A64B435E2447D745B01C1D9F403E867D7389BF847A40E5C841A1036370012EBE7
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.6.0.<./.P.i.d.>.......
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAF7.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4665
                                                                                                      Entropy (8bit):4.478889368836247
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zsQJgtWI9icWSC8BM8fm8M4JCdsjN4xFF+q8/SNGpB54SrSXd:uITfWRVSN3JxN4JBNGj5DWXd
                                                                                                      MD5:0EF968BE1C2A51D5B408644C613F06A0
                                                                                                      SHA1:EC9960AF57142AE326F6E0A6A9B1489893BB8317
                                                                                                      SHA-256:BF9375F84CFEEF9F69442311B79E72A7C8F3459DD49E7BA1D42A3B7BD17F6FC6
                                                                                                      SHA-512:C039E05B5D5C09C75224E06A9B0A09037DC81C3692E8183F8684109A506530393B88C2D37B1A5BAA54159A5D890A55D7971697A936DD4E5895B4444083AE43A2
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975706" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB26.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4766
                                                                                                      Entropy (8bit):4.46119953682272
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zsQJgtWI9icWSC8BM8fm8M4JCdsjN4fFR8+q8vjsjN49a54SrS5d:uITfWRVSN3JxN438KcN445DW5d
                                                                                                      MD5:8307F7F29018E332287E9714DA7396EE
                                                                                                      SHA1:D8449BCB2FFCCAA336A10D1725785DB7B8355CBA
                                                                                                      SHA-256:B355C18D579CCEDE0DF80E219D1B99FCBFFB01DE6F267620ECA9B0FE7301431E
                                                                                                      SHA-512:36453F9F27DAF8110DE390FC51CD53763D9BCC117D2FC804883BF90564F66C9753831A14EA953E13613279A8CE126BACC876BF590D63BD2EE1C07DB9FD3C3FFD
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975706" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1BE.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4694
                                                                                                      Entropy (8bit):4.43605378061469
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zsQJgtWI9icWSC8BBs8fm8M4JVjN4fFB9+q8v7jN4Pnc5KcQIcQw6Urld:uITfWRVSNTRJhN4RKXN4Pnc5Kkw68ld
                                                                                                      MD5:65F354B7388A5B5826F5C04336E04208
                                                                                                      SHA1:3438EC40AB121474326743A3FE22019416E51143
                                                                                                      SHA-256:D6C9CBC33A14B778F8E266E64AE3CA967CEB7356B1AF8348301ABBE51810803E
                                                                                                      SHA-512:3F088ECC0BDC74109E7CF595711523DF79DD1FA69700231423699144DDB0DBF62DCF9DECC551E9B1111BA8EEB6C931C4DCECC56BE89F65610F0A9E6F29705892
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975706" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):7.549621998734475
                                                                                                      TrID:
                                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:f845ef61_by_Libranalysis.dll
                                                                                                      File size:164864
                                                                                                      MD5:f845ef6120dfd5a421786e9d818c9ddb
                                                                                                      SHA1:0517da7604bec2311002f113938660db1a7c7c98
                                                                                                      SHA256:26af94089c064eafa3025ac20749882f18213bf8608147a2b842e55e13d7c688
                                                                                                      SHA512:de7fd74114c96ef890112bb1cfd1b8505f588f9eb02f7dcf71ca829f8fa696255cce1cdcf8442d395956cadb8427aabbe2cca5da2dc0a0a14e2b0acb2d9365fc
                                                                                                      SSDEEP:3072:hz63mpMBf4M8+pwhukvhU7fWaX/77/DZgTmbg+MGaFplA33VBrUXCx3:5a/jkvhSlP/7bg8aFnA3brJ
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L..

                                                                                                      File Icon

                                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x10024080
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x10000000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                      Time Stamp:0x60903ACE [Mon May 3 18:02:54 2021 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:5
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:5
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:5
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:e6aa540e1f4085a198af68216e7e3577

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      mov edx, eax
                                                                                                      xor eax, eax
                                                                                                      add eax, 00002233h
                                                                                                      cmpss xmm1, xmm2, 03h
                                                                                                      sub eax, 00002233h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      cmpss xmm1, xmm2, 03h
                                                                                                      cmp eax, 01h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [RES] VS2012 UPD3 build 60610
                                                                                                      • [LNK] VS2005 build 50727
                                                                                                      • [EXP] VS2005 build 50727
                                                                                                      • [ C ] VS2012 UPD4 build 61030
                                                                                                      • [IMP] VS2013 UPD2 build 30501

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x277300x55.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x278040x59.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x3a0.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2d0000x1220
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x100180x38.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x250000x60.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x232020x23400False0.757459275266data7.56345314972IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x250000x2b6b0x2c00False0.759410511364data7.49732911273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .pdata0x280000x34730x1800False0.809244791667MMDF mailbox7.52945947875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x2c0000x3a00x400False0.4091796875data3.06807977608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x2d0000x2600x400False0.5263671875data4.13662763457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_VERSION0x2c0600x33cdata

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      ADVAPI32.dllRegOverridePredefKey
                                                                                                      KERNEL32.dllGetProfileSectionA, GetProfileSectionW, CreateFileW, CloseHandle, OutputDebugStringA, LoadLibraryExW, OpenSemaphoreW, LoadLibraryW
                                                                                                      msvcrt.dllmemset
                                                                                                      RASAPI32.dllRasGetConnectionStatistics
                                                                                                      USER32.dllTranslateMessage
                                                                                                      OPENGL32.dllglTexSubImage1D
                                                                                                      CLUSAPI.dllClusterEnum
                                                                                                      ole32.dllCreateStreamOnHGlobal, CreatePointerMoniker

                                                                                                      Exports

                                                                                                      NameOrdinalAddress
                                                                                                      LoxmtYt10x10027776

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      LegalCopyrightCopyright 2018
                                                                                                      InternalNamej2pcsc
                                                                                                      FileVersion8.0.1710.11
                                                                                                      Full Version1.8.0_171-b11
                                                                                                      CompanyNameOracle Corporation
                                                                                                      ProductNameJava(TM) Platform SE 8
                                                                                                      ProductVersion8.0.1710.11
                                                                                                      FileDescriptionJava(TM) Platform SE binary
                                                                                                      OriginalFilenamej2pcsc.dll
                                                                                                      Translation0x0000 0x04b0

                                                                                                      Network Behavior

                                                                                                      Snort IDS Alerts

                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                      05/04/21-21:33:35.275508ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.310773ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                                                      05/04/21-21:33:35.312018ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.347877ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                                                                                      05/04/21-21:33:35.348906ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.386995ICMP449ICMP Time-To-Live Exceeded in Transit130.117.49.165192.168.2.6
                                                                                                      05/04/21-21:33:35.389566ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.431462ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.18192.168.2.6
                                                                                                      05/04/21-21:33:35.432097ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.479129ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.53192.168.2.6
                                                                                                      05/04/21-21:33:35.482296ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.529084ICMP449ICMP Time-To-Live Exceeded in Transit130.117.15.66192.168.2.6
                                                                                                      05/04/21-21:33:35.529998ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.595872ICMP449ICMP Time-To-Live Exceeded in Transit195.22.208.79192.168.2.6
                                                                                                      05/04/21-21:33:35.596870ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.653577ICMP449ICMP Time-To-Live Exceeded in Transit93.186.128.39192.168.2.6
                                                                                                      05/04/21-21:33:35.653946ICMP384ICMP PING192.168.2.62.23.155.128
                                                                                                      05/04/21-21:33:35.707075ICMP408ICMP Echo Reply2.23.155.128192.168.2.6

                                                                                                      Network Port Distribution

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      May 4, 2021 21:33:34.802345037 CEST6204453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:34.851018906 CEST53620448.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:35.196355104 CEST6379153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:35.274379969 CEST53637918.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:35.671962976 CEST6426753192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:35.720633984 CEST53642678.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:35.774341106 CEST4944853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:35.836884022 CEST53494488.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:36.480343103 CEST6034253192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:36.532092094 CEST53603428.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:37.258236885 CEST6134653192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:37.308531046 CEST53613468.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:38.824889898 CEST5177453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:38.874213934 CEST53517748.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:39.727790117 CEST5602353192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:39.776587009 CEST53560238.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:41.473402023 CEST5838453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:41.524926901 CEST53583848.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:33:43.162194967 CEST6026153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:33:43.213743925 CEST53602618.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:34:23.941587925 CEST5606153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:34:23.990391970 CEST53560618.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:34:24.970726967 CEST5833653192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:34:25.019635916 CEST53583368.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:34:25.950202942 CEST5378153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:34:25.971210003 CEST5406453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:34:25.999162912 CEST53537818.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:34:26.020234108 CEST53540648.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:34:27.509005070 CEST5281153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:34:27.570147038 CEST53528118.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:34:28.822521925 CEST5529953192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:34:28.874212980 CEST53552998.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:34:29.369651079 CEST6374553192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:34:29.418267965 CEST53637458.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:17.139974117 CEST5005553192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:17.213660002 CEST53500558.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:39.334547043 CEST6137453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:39.383215904 CEST53613748.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:40.312474966 CEST5033953192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:40.361423016 CEST53503398.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:41.340107918 CEST6330753192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:41.357357025 CEST4969453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:41.399470091 CEST53633078.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:41.406286001 CEST53496948.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:42.001111031 CEST5498253192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:42.060343981 CEST53549828.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:43.231545925 CEST5001053192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:43.283216953 CEST53500108.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:44.432080984 CEST6371853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:44.481973886 CEST53637188.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:46.184734106 CEST6211653192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:46.236783028 CEST53621168.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:46.739873886 CEST6381653192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:46.788614988 CEST53638168.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:48.361850977 CEST5501453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:48.412638903 CEST53550148.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:35:49.497984886 CEST6220853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:35:49.559576988 CEST53622088.8.8.8192.168.2.6

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                      May 4, 2021 21:35:41.399470091 CEST8.8.8.8192.168.2.60x8df7No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                      May 4, 2021 21:35:46.236783028 CEST8.8.8.8192.168.2.60x102fNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Start time:21:33:41
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:loaddll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll'
                                                                                                      Imagebase:0x10b0000
                                                                                                      File size:116736 bytes
                                                                                                      MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:33:41
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                                                                                                      Imagebase:0x2a0000
                                                                                                      File size:232960 bytes
                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:33:42
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
                                                                                                      Imagebase:0x230000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:33:42
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
                                                                                                      Imagebase:0x230000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:34:23
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 764
                                                                                                      Imagebase:0x2a0000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:34:26
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 888
                                                                                                      Imagebase:0x2a0000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:34:27
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow
                                                                                                      Imagebase:0x230000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000E.00000002.605551680.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:34:27
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject
                                                                                                      Imagebase:0x230000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000F.00000002.590448594.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:34:27
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance
                                                                                                      Imagebase:0x230000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.593134823.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:34:28
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter
                                                                                                      Imagebase:0x230000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.593304791.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:21:34:28
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel
                                                                                                      Imagebase:0x230000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.594741649.0000000010001000.00000020.00020000.sdmp, Author: Joe Security

                                                                                                      General

                                                                                                      Start time:21:34:34
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 604
                                                                                                      Imagebase:0x2a0000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Start time:21:35:37
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                                                                                                      Imagebase:0x2a0000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      General

                                                                                                      Start time:21:35:37
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 760
                                                                                                      Imagebase:0x2a0000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >