Play interactive tour

Edit tour

Analysis Report f845ef61_by_Libranalysis.dll

Overview

General Information

Sample Name:	f845ef61_by_Libranalysis.dll
Analysis ID:	404282
MD5:	f845ef6120dfd5a421786e9d818c9ddb
SHA1:	0517da7604bec2311002f113938660db1a7c7c98
SHA256:	26af94089c064eafa3025ac20749882f18213bf8608147a2b842e55e13d7c688
Tags:	Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5040 cmdline: loaddll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 2764 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 8 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 768 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6036 cmdline: rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 944 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 6976 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 1400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7000 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 3612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 776 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 7016 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7120 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7152 cmdline: rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5348 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "gVWbIbse4LncmZTrtE5bhEEfziocKyUXoiF1kB3a8v5ucqsS91u1M39nZYKpCWBaZM8JOlA1"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.568262933.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.520394010.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000010.00000002.561363853.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000012.00000002.506563386.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000011.00000002.474922417.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000014.00000002.588526568.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
20.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
16.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
18.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
17.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 15.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "gVWbIbse4LncmZTrtE5bhEEfziocKyUXoiF1kB3a8v5ucqsS91u1M39nZYKpCWBaZM8JOlA1"]}

Multi AV Scanner detection for submitted file

Show sources

Source: f845ef61_by_Libranalysis.dll	Metadefender: Detection: 21%			Perma Link
Source: f845ef61_by_Libranalysis.dll	ReversingLabs: Detection: 23%

Machine Learning detection for sample

Show sources

Source: f845ef61_by_Libranalysis.dll

Joe Sandbox ML: detected

Source: f845ef61_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: f845ef61_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cryptbase.pdbV source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.409569511.0000000004C81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.503663301.0000000002EB2000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.524595619.0000000004ADB000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb[ source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.373365836.0000000002F3D000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.534224836.0000000002C2E000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbs source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb>u source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbGz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb=z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb+ source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb> source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.501406024.0000000002EB8000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.524712511.0000000002C3A000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb7z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb#z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb8 source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb\| source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbv source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbL source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb)z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb%z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb\| source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510644112.0000000005315000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbR source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbP source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb_ source: WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbc source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbN source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: imagehlp.pdbz source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb\ source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbv source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: FGERN.pdb source: f845ef61_by_Libranalysis.dll
Source:	Binary string: sfc_os.pdbyz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510644112.0000000005315000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbQz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbp source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb;z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: azojr}oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.522361449.00000000007B2000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.372774805.0000000002F37000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.409551953.0000000002F43000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.503663301.0000000002EB2000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.524694317.0000000002C34000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb` source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbsz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdbi source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb2 source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb_z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbL source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510644112.0000000005315000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb$ source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbM source: WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbF source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbMz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb@u source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbXu source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb7 source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 0000001B.00000003.519402498.000000000515E000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.373365836.0000000002F3D000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.502119479.00000000032EC000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.501330183.0000000002EAC000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.534224836.0000000002C2E000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbC source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbT source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb1 source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510644112.0000000005315000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb1 source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 00000016.00000003.372774805.0000000002F37000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbj source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbuz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbX source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdboz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbd source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb^ source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbn source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbKz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.409454819.0000000002F49000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.501406024.0000000002EB8000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.524712511.0000000002C3A000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbX source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 193.200.130.181:443
Source: Malware configuration extractor	IPs: 95.138.161.226:2303
Source: Malware configuration extractor	IPs: 167.114.113.13:4125

Source: Joe Sandbox View	IP Address: 167.114.113.13 167.114.113.13
Source: Joe Sandbox View	IP Address: 95.138.161.226 95.138.161.226

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: RACKSPACE-LONGB RACKSPACE-LONGB

Source: WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microg
Source: WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoftk
Source: WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.co
Source: WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.c7
Source: WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.co

Source: loaddll32.exe, 00000000.00000002.607314256.00000000009DB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 0000000F.00000002.568262933.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.520394010.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.561363853.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.506563386.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.474922417.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.588526568.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 15.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100090CC

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 768

Source: f845ef61_by_Libranalysis.dll

Binary or memory string: OriginalFilenamej2pcsc.dllN vs f845ef61_by_Libranalysis.dll

Source: f845ef61_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: f845ef61_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.evad.winDLL@22/20@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7152
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7000
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6036
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6976

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D1.tmp

Jump to behavior

Source: f845ef61_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt

Source: f845ef61_by_Libranalysis.dll	Metadefender: Detection: 21%
Source: f845ef61_by_Libranalysis.dll	ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 768
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 944
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 776
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 756
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 756
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: f845ef61_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: f845ef61_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cryptbase.pdbV source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.409569511.0000000004C81000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.503663301.0000000002EB2000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.524595619.0000000004ADB000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb[ source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.373365836.0000000002F3D000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.534224836.0000000002C2E000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbs source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb>u source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbGz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb=z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb+ source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb> source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.501406024.0000000002EB8000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.524712511.0000000002C3A000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb7z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb#z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb8 source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb\| source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbv source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbL source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb)z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb%z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb\| source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510644112.0000000005315000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbR source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbP source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb_ source: WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbc source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbN source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: imagehlp.pdbz source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb\ source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbv source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: FGERN.pdb source: f845ef61_by_Libranalysis.dll
Source:	Binary string: sfc_os.pdbyz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510644112.0000000005315000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbQz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbp source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb;z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: azojr}oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.522361449.00000000007B2000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.372774805.0000000002F37000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000016.00000003.409551953.0000000002F43000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.503663301.0000000002EB2000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.524694317.0000000002C34000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb` source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbsz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdbi source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb2 source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb_z source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbL source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510644112.0000000005315000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb$ source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbM source: WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbF source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510318514.0000000005312000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbMz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb@u source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbXu source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb7 source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 0000001B.00000003.519402498.000000000515E000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.373365836.0000000002F3D000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.502119479.00000000032EC000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.501330183.0000000002EAC000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.534224836.0000000002C2E000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdbR source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbC source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbT source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb1 source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510644112.0000000005315000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb1 source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 00000016.00000003.372774805.0000000002F37000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdbj source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbuz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbX source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdboz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbd source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb^ source: WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbn source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.356546300.00000000057E0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510610057.0000000005310000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519717090.00000000055F0000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549236361.0000000005120000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbKz source: WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000016.00000003.409454819.0000000002F49000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.501406024.0000000002EB8000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.524712511.0000000002C3A000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.510366450.0000000005318000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.549252383.0000000005126000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbX source: WerFault.exe, 0000001B.00000003.519728381.00000000055F6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000B.00000003.356553275.00000000057E6000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.356533507.0000000005611000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.510219331.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.519684631.0000000005621000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.521829579.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.549198466.0000000004F71000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h

Source: initial sample

Static PE information: section name: .text entropy: 7.56345314972

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Source: WerFault.exe, 0000000B.00000002.511351141.0000000005800000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.538794659.0000000004E60000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.555178488.0000000005160000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.557175613.0000000004BD0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.584233721.0000000005140000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000002.510238169.000000000516A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWhA
Source: WerFault.exe, 00000020.00000002.583537518.0000000004ACA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP
Source: WerFault.exe, 0000000B.00000002.510281872.0000000005182000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.554604785.0000000005063000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000002.555571430.0000000002EE9000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000002.583457331.00000000049F4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000B.00000002.511351141.0000000005800000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.538794659.0000000004E60000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.555178488.0000000005160000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.557175613.0000000004BD0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.584233721.0000000005140000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000B.00000002.511351141.0000000005800000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.538794659.0000000004E60000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.555178488.0000000005160000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.557175613.0000000004BD0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.584233721.0000000005140000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.511351141.0000000005800000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.538794659.0000000004E60000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.555178488.0000000005160000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.557175613.0000000004BD0000.00000002.00000001.sdmp, WerFault.exe, 00000020.00000002.584233721.0000000005140000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\SysWOW64\rundll32.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection11	Virtualization/Sandbox Evasion11	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing2	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
f845ef61_by_Libranalysis.dll	21%	Metadefender		Browse
f845ef61_by_Libranalysis.dll	23%	ReversingLabs	Win32.Trojan.Emotet
f845ef61_by_Libranalysis.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
18.2.rundll32.exe.d20000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.rundll32.exe.4d0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.2dc0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.c20000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
16.2.rundll32.exe.3110000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.3160000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.2ff0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.9b0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.microsoft.c7	0%	Avira URL Cloud	safe
http://crl.microsoftk	0%	Avira URL Cloud	safe
http://microsoft.co	0%	URL Reputation	safe
http://microsoft.co	0%	URL Reputation	safe
http://microsoft.co	0%	URL Reputation	safe
http://crl.microg	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	URL Reputation	safe
http://www.microsoft.co	0%	URL Reputation	safe
http://www.microsoft.co	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.microsoft.c7	WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoftk	WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://microsoft.co	WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.microg	WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	WerFault.exe, 0000001C.00000003.552259452.0000000004AE3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
167.114.113.13	unknown	Canada	16276	OVHFR	true
95.138.161.226	unknown	United Kingdom	15395	RACKSPACE-LONGB	true
193.200.130.181	unknown	unknown	42960	CLOUD-MANAGEMENT-LLCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	404282
Start date:	04.05.2021
Start time:	21:43:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	f845ef61_by_Libranalysis.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@22/20@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 60.3% (good quality ratio 54.1%) Quality average: 75.5% Quality standard deviation: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.64.90.137, 184.87.213.153, 23.57.80.111, 92.122.212.210, 92.122.213.81, 8.248.149.254, 67.27.158.254, 67.26.139.254, 67.27.159.126, 67.26.137.254, 52.255.188.83, 20.82.210.154, 104.43.139.144, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
167.114.113.13	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
95.138.161.226	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKSPACE-LONGB	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	95.138.161.226
OVHFR	3138bf3b_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	577e66d4_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	b8fe43e6_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	f845ef61_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	3c271eae_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	fc0bc077_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	e1c88b94_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	edae86a8_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	64b8ed95_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	8743016c_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	d8417415_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	c977c96e_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	9a46403f_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13
	457aedfd_by_Libranalysis.dll	Get hash	malicious	Browse	167.114.113.13

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_9e9a849acbac41d72721a47f3405a62f42b8ebc_82810a17_14bba28b\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12656
Entropy (8bit):	3.767052110848174
Encrypted:	false
SSDEEP:	192://iR0oXNRthHBUZMX4jed+DtAR/u7srS274ItWcK:nifX/BUZMX4je//u7srX4ItWcK
MD5:	C516659A11A285721F1DC17E7449631B
SHA1:	7B7C355F2DA81C5D58E2BCBF0F4AD1F4FE2E4162
SHA-256:	1C5A77D7143D9CDD981366929B3AE6FD473E593FD649EC40AFEA6AED5B8744B6
SHA-512:	D2744CBD7253C8B9BA19B0E2B25AEE1C8554DE48533301472234AD22AD2CC195C70A43C8B4E6960ADCBAB7E0D1FACB9DE25EB6F9927FA5BC6B8A2711D4688370
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.6.0.8.5.4.9.1.4.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.6.2.7.2.0.5.3.3.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.f.1.4.a.1.2.-.9.e.d.1.-.4.c.e.b.-.b.4.a.1.-.3.9.f.5.6.e.c.f.a.9.4.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.7.6.2.1.6.3.-.c.e.7.a.-.4.8.b.e.-.b.3.f.6.-.2.c.9.2.b.6.e.a.f.7.f.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.0.-.0.0.0.1.-.0.0.1.7.-.2.c.5.d.-.a.0.7.2.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_dce71326267e822e1c117e5eaeaff0826af57120_82810a17_05276ec9\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12686
Entropy (8bit):	3.7691087669253567
Encrypted:	false
SSDEEP:	192:T0sin0oXqt/HBUZMX4jed+DtYR/u7srS274ItWcv:gsiZX2BUZMX4jeX/u7srX4ItWcv
MD5:	BB2A09F6377A113AF4763EF9F143C5FC
SHA1:	93A87CF8FD344E79FA2C66EB93D5C313879976F5
SHA-256:	1E132B4D725583CDD48A16FCEFBEFFED81BAAF5A75CA7D2B73426989A709205C
SHA-512:	DB9A3C79453533261B9D3AE30B8EC6A5E0D02442DB26630F500692B8E368DCD6ED4E5BE3FB8516142E34CD4D88818A0889304E5CA7032EBF6F403331F6917210
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.9.4.2.3.6.6.7.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.6.1.3.7.8.3.5.0.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.c.d.d.9.6.0.-.4.3.5.3.-.4.5.0.9.-.a.8.3.4.-.8.c.b.2.b.2.8.3.5.d.7.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.7.f.1.d.b.5.-.c.0.5.e.-.4.5.1.c.-.8.7.4.1.-.5.d.a.8.9.8.9.c.b.7.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.4.0.-.0.0.0.1.-.0.0.1.7.-.0.3.f.0.-.1.2.7.1.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_dce71326267e822e1c117e5eaeaff0826af57120_82810a17_1a631a21\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12692
Entropy (8bit):	3.7676841014424016
Encrypted:	false
SSDEEP:	192:ItiW0oXat/HBUZMX4jed+DtYR/u7srS274ItWczr:WiQXGBUZMX4jeX/u7srX4ItWc/
MD5:	40391685A57BCD6394EEC613BDFF9D0B
SHA1:	6FC046E8BA0A239235372B28C9BCA8DEC5875602
SHA-256:	263394ACBE1A69C727BE88CF90E1E6EDBB330D2CE59295D80E105D4079F6AC92
SHA-512:	D9F81B0C20C255DDF45B640667706A19A1E9793613A390C67BAC239419B0C17281FFC4DAC50DF0FBD64474374D2161E45BE8F9C6C5D642AEE08F2559B338FF1B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.1.8.5.8.0.6.4.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.5.8.9.5.3.3.5.7.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.7.2.9.e.8.c.-.2.3.5.f.-.4.d.d.b.-.9.7.7.8.-.5.c.2.2.1.d.b.f.1.2.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.5.5.f.4.2.3.-.4.9.b.0.-.4.f.1.0.-.9.9.0.f.-.4.5.d.c.5.7.a.1.a.a.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.0.0.8.-.0.0.0.1.-.0.0.1.7.-.a.8.0.2.-.e.f.5.3.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_f730a8ea7243762d53c97ce08f758e0cd9ff21e_82810a17_0e4369e7\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12692
Entropy (8bit):	3.766565794602172
Encrypted:	false
SSDEEP:	192:r7ji+0oX5t+HuWc0jed+DtYR/u7srS274ItWcn:riIXyuWc0jeX/u7srX4ItWcn
MD5:	969AA97F81D3090DCF20609A90978E83
SHA1:	80817DE99F278B93CE19F4CFE19D2D0D7F48B24A
SHA-256:	23F03D87AE002ED1D984367EC01A487A3C7E0DADE833DF19BD0B7657FA1BF06F
SHA-512:	C98C948962053B8E4BCB242B61E99CDA700103FC02414A0521FAFB8B5B31CD2AF6781DB0BC9DE5E6F491201AFE9CAF591B7E959D2595CA2A2E21282F514C1DF0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.9.3.0.4.9.1.8.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.6.1.2.0.9.6.0.0.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.8.2.7.e.6.8.-.8.a.c.d.-.4.7.7.6.-.8.a.9.1.-.7.3.d.5.3.d.9.3.c.9.a.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.9.3.9.9.7.4.-.3.d.b.1.-.4.2.f.5.-.a.a.c.5.-.4.c.9.2.9.d.0.6.4.0.c.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.8.-.0.0.0.1.-.0.0.1.7.-.1.3.9.4.-.8.1.7.1.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dcfe149c111a993ad25989825f5fd3b9a5561_82810a17_16ff3460\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	12866
Entropy (8bit):	3.7571511554376684
Encrypted:	false
SSDEEP:	192:iiV0oXutFHVzOMjed+Dto8/u7srS274It7cH:ii7XAVzOMjea/u7srX4It7cH
MD5:	5906FB7758AA386D6B2A232B6D4B2DCC
SHA1:	84DDE9062EC80754CC5A1920E60F207EA4D56095
SHA-256:	5E4C68A282D394D9A4FC332F741BBB718C92FD472C48EED8EFFDF09E90142ECC
SHA-512:	39A4D16B10DD0894FE5FF08537E99C1818BA3DB56587046B17939B7B84F7AD83C0A9D9342857953CB450514C5763E156618C259A8475572D514E20FF85517DA9
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.3.1.8.9.8.6.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.6.7.5.e.5.0.-.1.3.a.3.-.4.2.d.f.-.a.2.3.e.-.b.d.8.8.c.1.2.2.d.1.0.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.8.5.c.9.f.f.-.4.1.a.b.-.4.b.f.9.-.b.a.0.c.-.9.0.a.0.0.5.3.8.1.8.8.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.9.4.-.0.0.0.1.-.0.0.1.7.-.f.9.f.5.-.e.a.5.3.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER16B6.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:46:40 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	36816
Entropy (8bit):	2.2315348679228424
Encrypted:	false
SSDEEP:	192:mjPip7Em/RszoctMEU7G3agBtHrhSiDWrY1:Eip7y9Ph7rMiqc
MD5:	3F97B9940A3C7E27C830C94C10275346
SHA1:	4C8684895241FE3089FD869BB67D3412862C4BE6
SHA-256:	EF4E5694EDDF5AA1A3D3EE582930A2AC21DA380D5C83BF9D1AE01C8B9387DAC9
SHA-512:	552301CB1356F23940BF56D075B26B0660098A341CC815AFBA4005FEDAAB17846271D5E643DC65BABE209FBEF3AE751330734B090581C03AE77227306F86303D
Malicious:	false
Preview:	MDMP....... .......0#.`...................U...........B......P ......GenuineIntelW...........T.......X....".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:46:41 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45848
Entropy (8bit):	2.316977876392041
Encrypted:	false
SSDEEP:	192:/4p7/2Yj2F4yS5H1RAH9dW8jBQq1WGUQwWtILPO2cM43nL6Fs:Qp7/5KFY5H7mBdRPU7ZLW2cMgLd
MD5:	99DA2F9D237F938C4142CB89FD57A885
SHA1:	0ADE8574D64AD2A3EF20F8496893E22F05D1A737
SHA-256:	453AE642DA1C4580EB07FF8276A7A43A7F68502549F06B3DA39350CFECED8E24
SHA-512:	CCE8EF63C8FEA162C8FAEBF067C615A434BE2D8521A1493EC3A29A024C455C9FC224F802F97623C08AFCA839935205D3FD0E5E0206794164104B1BAE2B183D5A
Malicious:	false
Preview:	MDMP....... .......1#.`...................U...........B....... ......GenuineIntelW...........T.......@....".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER23F6.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8384
Entropy (8bit):	3.6883777922445296
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNief686YDS6zy2EGgmf8jtHSxCpBZ89bB9sfyrm:RrlsNiG686Y26zy8gmf8xStB2fn
MD5:	859EC050C167E6DF36D1B9579AC7357A
SHA1:	DF623C2C41C9B1749F0150C9A728E96B6F2309D9
SHA-256:	7FFCC80B656A7F517FAC68D23C691FB7982D1E9A4946DEB231DCA6D5A3C3B9F3
SHA-512:	7F2A979EF005B1AC525B7F7B53E258BCE6802BC3588E3CED824A907C31E4A7993F3958A5383D750B710D59A1DA26A045A140CBF8A0BF462266A788C9590948D3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C53.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4766
Entropy (8bit):	4.459226637920454
Encrypted:	false
SSDEEP:	48:cvIwSD8zsWJgtWI95FWSC8Bk8fm8M4JCdsjN4fFTI+q8vjsjN4b4SrSPd:uITfs60SN7JxN4lIKcN4bDWPd
MD5:	953D7908913DCEC967504EC6B863DEED
SHA1:	6F755AE8F4934A08706095CD6123FC58AF91EF36
SHA-256:	718F0FAD4DDCBD4904B9ADD2CB4C7F3204639E5207391D1B1EEEDCCCEC04F14C
SHA-512:	FD2031C518FD9E325DFB36D7CD0AE02D526F9059FAA7D14C8A12DD4509EA4E63CD67A426C039F130DCB05000510A9E02E9DA53CB39AD87E9628AF560CC5C4EB9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975717" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3432.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6911346564432113
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiam6Xk6YDH6zy2EGgmfTjtnSdCpDf89bQ3sfGQm:RrlsNiT606Yj6zy8gmfThSdQ8fo
MD5:	F03FBF18EA802A0AEB4BD817104F0844
SHA1:	B9F97A9AE71CBCC9BF69E51252107F79B51EE293
SHA-256:	E4B509F3D398D348651E0E5A92933D9E304DB9AC78E62E727C61B2EDB022F10F
SHA-512:	640E41AE1A659E239001C6A4F3B80A69A8A88BF3291348CED8B065CE8090509042F5A87FB7976102873C46C8F152DE4B01057185A73935768866A8F5724BD3AB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3849.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6957870572472813
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi7Z6S6YDf6zy2EGgmfTjt0SKCpro89bLlsfo5m:RrlsNiF6S6Y76zy8gmfTuSHL+f7
MD5:	B0C066DDCCBB64169D2F0319AD1F25F1
SHA1:	E09899D287AB4FE1DED4BCB2EEFBAABF9B3DB274
SHA-256:	5FC5D0684EB6E8D946122E65556E92E3DFEDD022F553F30187B0DB6769C0CA5C
SHA-512:	EBE123EBA91AEB8FF4FF7F5F5737B7612EF479D81DDA8B65AF80EDF74A841C5805D5075C2046E20E514B2B4E6480DDE53B7F1340601108D9D04EC355C9FD41B8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER39B1.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.4744923541555535
Encrypted:	false
SSDEEP:	48:cvIwSD8zsWJgtWI95FWSC8B0C8fm8M4JCdsjN4CFbVuJ+q8/SNGpNXL4SrS8ad:uITfs60SNqXJxN4+WBNGfbDW/d
MD5:	7DF9BFDEA157DFE30DE7AEE49B2FED7D
SHA1:	C830EEAFBB519DDFC2DC9BCC79D957D7D5CC16D9
SHA-256:	B6D790D943357E549182E1D4533AF92BA6A58E89412DC90AA97DCFAC2E2E8093
SHA-512:	D984F7F79FDEBC5C5B5158BC543ECCD141C41376A7EF078C5F6B050C4952F10AF97A22F978A5ACB313D95A14F2BBC0EA6FE6BE62F86C456B7A01E3CAD3E6F869
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975717" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C46.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.474378356949506
Encrypted:	false
SSDEEP:	48:cvIwSD8zstJgtWI95FWSC8Bq8fm8M4JCdsjN4xFfmB+q8/SNGp+4SrSCd:uITfH60SNtJxN4TmBBNGMDWCd
MD5:	2D1B24B1837A856E3911D2EA71AC3AEA
SHA1:	EE89A867E61003371F9546BF97D0693F7E7DABBC
SHA-256:	13C341DCC639D25919576E08DDF7D27C0182FAC4C2746860CEA44E74DCD6D19F
SHA-512:	A0FF46FE9BC96DC1D99C67459C3B8B602626E5E36BAD3AD6866049B3648DFFCDF887094FA36CD0F717D06F85BB9EF3E3D6D34C5128B92631997F587633583992
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975716" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E55.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.476417784884797
Encrypted:	false
SSDEEP:	48:cvIwSD8zsWJgtWI95FWSC8By8fm8M4JCdsjN4xFFRxC+q8/SNGph4SrSyd:uITfs60SN9JxN4heBNG/DWyd
MD5:	C1DB612436C81AA19649748B487E6AE7
SHA1:	EE07161B184A62E5BE3C5F8CCC9B741EC48BFFAF
SHA-256:	F2BE7019AE884A85BA3A9A1D6CEC2CA1A3ACA7686A779AB418AA06A19C6E5CE0
SHA-512:	62B7B408595469C8789E898D852898234649C79204FE3F1D212FC4ED51CBEB68F2F8FEEB34D4A557AD8585912A9E4C2A7E83421736E7D09AB72EB70D2100460A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975717" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5342.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:46:53 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	41376
Entropy (8bit):	2.376803089108758
Encrypted:	false
SSDEEP:	192:AaiczfWfv3p7ASJSszoctMEU7G3agDtfrySRo7xOJQnH/f:Uczev3p7pp9PhZryoo7Bff
MD5:	97E821DC9C93B7ACD46F830ABAD725C8
SHA1:	740A1BDDAC120BC9AA90E3B65BE658F247DFAE28
SHA-256:	5FA3EFFC5F135883D95B0FE49F13CC667788A23E672640F1B5BC808E43BEBE25
SHA-512:	D45D1C89F9292D40B7B57DC651570289383249E70CD447D0338C92D09D35C3CECC35D673AC9C23509610D1686C69670C3D2DC7EBEA1103FCAB9D8BE16E37828F
Malicious:	false
Preview:	MDMP....... .......=#.`...................U...........B......P ......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69E8.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6942063674674097
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNikh69W6YD26zy2EGgmfTjtWSKCprY89bM8sf0Wkm:RrlsNia6s6YS6zy8gmfT8SXMPfl
MD5:	B5541EBAF6F6C6BB989B7FB10B26A4A1
SHA1:	258252D4F406F3B68A5541BF315248FE4053A02B
SHA-256:	33995854F3A8D99A0870F772C4175243A32128F55DA5A157A4B0772A8269CDC7
SHA-512:	59FCFF835265064AD71C48716C200E88A7ABC588E2D074B067DC68B5E2C2DA88A4375E42800E5A4646C4C76E9A6B674C80B24B6B833B9438A15C17E771ABBBE4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FF4.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.47518919444509
Encrypted:	false
SSDEEP:	48:cvIwSD8zsWJgtWI95FWSC8BB8fm8M4JCdsjN4BFX+q8/SNGPdv4SrS6d:uITfs60SNMJxN4rBNGZDW6d
MD5:	FA33222EF52602963A50F18BEB2E5565
SHA1:	A308E994F333111DA0B26295AEFFD8EB26AC3C1D
SHA-256:	D696146A316BED0E1DB69874D86A31AEACC03A7FB14AED4478E1005400F04AEF
SHA-512:	600B58FA16CB9ECD4CEB86BBA976C0749D7D038E365ABEA488988015FA8E5F216083CF9B463558A4B8972096E499F7C308946B87F7C4291193C52CBDEABF0F89
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975717" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC923.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed May 5 04:46:35 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	57548
Entropy (8bit):	2.1599337837765575
Encrypted:	false
SSDEEP:	192:zuENX4175bwtiAp75+8f388faNpAnMS8itn5XRtMgs/uxCI80n8hiSPId7:G5Ap79lbl8EX4gNCc8hiSA5
MD5:	36A7FE5067D6E794B4758DB945C7F9A1
SHA1:	4A2AFF4EB99529D73529F3259F0955F01C7B05C1
SHA-256:	1C2C4EE557D63FC627E7BB20139D8ED33A6EF7CFB9E65280EB41C00D26AEA24E
SHA-512:	4CE0BE6C7122B80AD54C58DBDC6764E93CAC733F3B9B7F5D194969B6E1E067166C5B6B6ECA59CF4F6B1E25DD71EC371CE5FE1C0BFB0BB0A2E1125CF63902BB9C
Malicious:	false
Preview:	MDMP....... .......+#.`...................U...........B......."......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD65.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.69448678559353
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNidJ6l6Yc06/gmfTjt0SKCprj89bU1sfE8m:RrlsNiz6l6YX6/gmfTuSmUOf2
MD5:	D438C56891F5E7FF58B0117EF19FC905
SHA1:	C41C97F9FAB68C610385A35043BBBD032B988225
SHA-256:	C7F73ED92BD70CC5555EF8C0495B9B1E8EFB533573E82B51C4CB5E66895C8F09
SHA-512:	724076EAF74D738E11CFD2C5E7830303441DFC3F3519FCCC34D4C4853D2ACC2735229C42F2FD1A97B4F4F10EAC3684FA2D25D532E56E503EF29C5903725FFEDC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.<./.P.i.d.>.........<.I.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3D1.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 5 04:45:24 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	45248
Entropy (8bit):	2.320640162136055
Encrypted:	false
SSDEEP:	192:B+xxlkZ7QC3p7v28jBQq1WGUQw1tILPG4Ik3aonWF:sx7HC3p73dRPU74LPNL3hWF
MD5:	24E2D8868F6451EF3C14A992637A2E6E
SHA1:	01CE8FC17FC4333FEA9FBE0F2F5C96B258358A67
SHA-256:	00B6C2341552AAEB907CD814BD7261018275E805811BF24E2EB8D622F3817443
SHA-512:	F055E2ACFD0AD0EF2578BA0EE74EDF21303C0D367E572FF1C8EA259F0F850A5C7C334CD319D272F11BD274B89353C84457228B3C256A1E190E5F05B99BF4BC80
Malicious:	false
Preview:	MDMP....... ........".`...................U...........B....... ......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.549621998734475
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f845ef61_by_Libranalysis.dll
File size:	164864
MD5:	f845ef6120dfd5a421786e9d818c9ddb
SHA1:	0517da7604bec2311002f113938660db1a7c7c98
SHA256:	26af94089c064eafa3025ac20749882f18213bf8608147a2b842e55e13d7c688
SHA512:	de7fd74114c96ef890112bb1cfd1b8505f588f9eb02f7dcf71ca829f8fa696255cce1cdcf8442d395956cadb8427aabbe2cca5da2dc0a0a14e2b0acb2d9365fc
SSDEEP:	3072:hz63mpMBf4M8+pwhukvhU7fWaX/77/DZgTmbg+MGaFplA33VBrUXCx3:5a/jkvhSlP/7bg8aFnA3brJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10024080
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60903ACE [Mon May 3 18:02:54 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e6aa540e1f4085a198af68216e7e3577

Entrypoint Preview

Instruction
mov edx, eax
xor eax, eax
add eax, 00002233h
cmpss xmm1, xmm2, 03h
sub eax, 00002233h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
mov edx, 00000000h
cmpss xmm1, xmm2, 03h
cmp eax, 01h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h
mov eax, 00000000h

Rich Headers

Programming Language:

[RES] VS2012 UPD3 build 60610
[LNK] VS2005 build 50727
[EXP] VS2005 build 50727
[ C ] VS2012 UPD4 build 61030
[IMP] VS2013 UPD2 build 30501

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x27730	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x27804	0x59	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d000	0x1220
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10018	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25000	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x23202	0x23400	False	0.757459275266	data	7.56345314972	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x2b6b	0x2c00	False	0.759410511364	data	7.49732911273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x28000	0x3473	0x1800	False	0.809244791667	MMDF mailbox	7.52945947875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x3a0	0x400	False	0.4091796875	data	3.06807977608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d000	0x260	0x400	False	0.5263671875	data	4.13662763457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x33c	data

Imports

DLL	Import
ADVAPI32.dll	RegOverridePredefKey
KERNEL32.dll	GetProfileSectionA, GetProfileSectionW, CreateFileW, CloseHandle, OutputDebugStringA, LoadLibraryExW, OpenSemaphoreW, LoadLibraryW
msvcrt.dll	memset
RASAPI32.dll	RasGetConnectionStatistics
USER32.dll	TranslateMessage
OPENGL32.dll	glTexSubImage1D
CLUSAPI.dll	ClusterEnum
ole32.dll	CreateStreamOnHGlobal, CreatePointerMoniker

Exports

Name	Ordinal	Address
LoxmtYt	1	0x10027776

Version Infos

Description	Data
LegalCopyright	Copyright 2018
InternalName	j2pcsc
FileVersion	8.0.1710.11
Full Version	1.8.0_171-b11
CompanyName	Oracle Corporation
ProductName	Java(TM) Platform SE 8
ProductVersion	8.0.1710.11
FileDescription	Java(TM) Platform SE binary
OriginalFilename	j2pcsc.dll
Translation	0x0000 0x04b0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
05/04/21-21:33:35.275508	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.310773	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
05/04/21-21:33:35.312018	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.347877	ICMP	449	ICMP Time-To-Live Exceeded in Transit	149.11.89.129	192.168.2.6
05/04/21-21:33:35.348906	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.386995	ICMP	449	ICMP Time-To-Live Exceeded in Transit	130.117.49.165	192.168.2.6
05/04/21-21:33:35.389566	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.431462	ICMP	449	ICMP Time-To-Live Exceeded in Transit	130.117.0.18	192.168.2.6
05/04/21-21:33:35.432097	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.479129	ICMP	449	ICMP Time-To-Live Exceeded in Transit	154.54.36.53	192.168.2.6
05/04/21-21:33:35.482296	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.529084	ICMP	449	ICMP Time-To-Live Exceeded in Transit	130.117.15.66	192.168.2.6
05/04/21-21:33:35.529998	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.595872	ICMP	449	ICMP Time-To-Live Exceeded in Transit	195.22.208.79	192.168.2.6
05/04/21-21:33:35.596870	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.653577	ICMP	449	ICMP Time-To-Live Exceeded in Transit	93.186.128.39	192.168.2.6
05/04/21-21:33:35.653946	ICMP	384	ICMP PING	192.168.2.6	2.23.155.128
05/04/21-21:33:35.707075	ICMP	408	ICMP Echo Reply	2.23.155.128	192.168.2.6

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 21:44:18.271537066 CEST	61242	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:18.320259094 CEST	53	61242	8.8.8.8	192.168.2.7
May 4, 2021 21:44:19.822427988 CEST	58562	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:19.871637106 CEST	53	58562	8.8.8.8	192.168.2.7
May 4, 2021 21:44:20.537735939 CEST	56590	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:20.599292040 CEST	53	56590	8.8.8.8	192.168.2.7
May 4, 2021 21:44:20.958507061 CEST	60501	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:21.007457972 CEST	53	60501	8.8.8.8	192.168.2.7
May 4, 2021 21:44:21.931113958 CEST	53775	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:21.980782986 CEST	53	53775	8.8.8.8	192.168.2.7
May 4, 2021 21:44:23.181586981 CEST	51837	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:23.234555006 CEST	53	51837	8.8.8.8	192.168.2.7
May 4, 2021 21:44:24.280247927 CEST	55411	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:24.331056118 CEST	53	55411	8.8.8.8	192.168.2.7
May 4, 2021 21:44:25.631649017 CEST	63668	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:25.680469990 CEST	53	63668	8.8.8.8	192.168.2.7
May 4, 2021 21:44:26.585928917 CEST	54640	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:26.643362999 CEST	53	54640	8.8.8.8	192.168.2.7
May 4, 2021 21:44:27.960483074 CEST	58739	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:28.011437893 CEST	53	58739	8.8.8.8	192.168.2.7
May 4, 2021 21:44:48.954174995 CEST	60338	53	192.168.2.7	8.8.8.8
May 4, 2021 21:44:49.020067930 CEST	53	60338	8.8.8.8	192.168.2.7
May 4, 2021 21:45:13.759598017 CEST	58717	53	192.168.2.7	8.8.8.8
May 4, 2021 21:45:13.821183920 CEST	53	58717	8.8.8.8	192.168.2.7
May 4, 2021 21:45:13.971429110 CEST	59762	53	192.168.2.7	8.8.8.8
May 4, 2021 21:45:14.028637886 CEST	53	59762	8.8.8.8	192.168.2.7
May 4, 2021 21:45:17.855186939 CEST	54329	53	192.168.2.7	8.8.8.8
May 4, 2021 21:45:17.912314892 CEST	53	54329	8.8.8.8	192.168.2.7
May 4, 2021 21:46:33.253622055 CEST	58052	53	192.168.2.7	8.8.8.8
May 4, 2021 21:46:33.310803890 CEST	53	58052	8.8.8.8	192.168.2.7
May 4, 2021 21:46:50.545721054 CEST	54008	53	192.168.2.7	8.8.8.8
May 4, 2021 21:46:50.595954895 CEST	53	54008	8.8.8.8	192.168.2.7
May 4, 2021 21:46:53.717617035 CEST	59451	53	192.168.2.7	8.8.8.8
May 4, 2021 21:46:53.767273903 CEST	53	59451	8.8.8.8	192.168.2.7
May 4, 2021 21:46:55.049025059 CEST	52914	53	192.168.2.7	8.8.8.8
May 4, 2021 21:46:55.100677013 CEST	53	52914	8.8.8.8	192.168.2.7
May 4, 2021 21:47:08.309828043 CEST	64569	53	192.168.2.7	8.8.8.8
May 4, 2021 21:47:08.361191034 CEST	53	64569	8.8.8.8	192.168.2.7
May 4, 2021 21:47:09.916544914 CEST	52816	53	192.168.2.7	8.8.8.8
May 4, 2021 21:47:09.978668928 CEST	53	52816	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5040 Parent PID: 5752

General

Start time:	21:44:25
Start date:	04/05/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll'
Imagebase:	0x200000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 2764 Parent PID: 5040

General

Start time:	21:44:26
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6036 Parent PID: 5040

General

Start time:	21:44:26
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll,LoxmtYt
Imagebase:	0xd70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 8 Parent PID: 2764

General

Start time:	21:44:26
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',#1
Imagebase:	0xd70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.520394010.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exe PID: 6716 Parent PID: 8

General

Start time:	21:45:10
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 768
Imagebase:	0x960000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6976 Parent PID: 5040

General

Start time:	21:45:15
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllCanUnloadNow
Imagebase:	0xd70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000F.00000002.568262933.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 7000 Parent PID: 5040

General

Start time:	21:45:16
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',DllGetClassObject
Imagebase:	0xd70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.561363853.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 7016 Parent PID: 5040

General

Start time:	21:45:16
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddFileToInstance
Imagebase:	0xd70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.474922417.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 7120 Parent PID: 5040

General

Start time:	21:45:17
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiAddParameter
Imagebase:	0xd70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.506563386.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 7152 Parent PID: 5040

General

Start time:	21:45:18
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\f845ef61_by_Libranalysis.dll',WdiCancel
Imagebase:	0xd70000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.588526568.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exe PID: 5792 Parent PID: 6036

General

Start time:	21:45:19
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 944
Imagebase:	0x960000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 3612 Parent PID: 7000

General

Start time:	21:46:18
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 776
Imagebase:	0x960000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 1400 Parent PID: 6976

General

Start time:	21:46:19
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 756
Imagebase:	0x960000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 5348 Parent PID: 7152

General

Start time:	21:46:41
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 756
Imagebase:	0x960000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report f845ef61_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior