Loading ...

Play interactive tourEdit tour

Analysis Report fc0bc077_by_Libranalysis

Overview

General Information

Sample Name:fc0bc077_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:404283
MD5:fc0bc07721ce94bc9b100e7c846a1210
SHA1:2d98f05fb78cd75bb44a0087bead8c1604545d07
SHA256:e707edac036a1a2d08b746c6a50ac0f0e2b1ba1c2668aadf87ea11b666b0eb28
Tags:Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5800 cmdline: loaddll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5496 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4836 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6728 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5480 cmdline: rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 7000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 928 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7032 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7100 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7136 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 776 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6232 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 580 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.494169228.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    19.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 19.2.rundll32.exe.10000000.3.unpackMalware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: fc0bc077_by_Libranalysis.dllMetadefender: Detection: 21%Perma Link
      Source: fc0bc077_by_Libranalysis.dllReversingLabs: Detection: 29%
      Machine Learning detection for sampleShow sources
      Source: fc0bc077_by_Libranalysis.dllJoe Sandbox ML: detected
      Source: 19.2.rundll32.exe.5b0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.331722146.0000000005226000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.334059894.0000000004FAD000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.369277067.0000000001022000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503509731.00000000051A5000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: profapi.pdb, source: WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdbYD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.370801170.000000000101C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: opengl32.pdbe source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: setupapi.pdbw source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: bcrypt.pdb! source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdb[T source: WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdb- source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdbP source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb' source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: setupapi.pdbSD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdbLS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdbW~ source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdbY source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503509731.00000000051A5000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdb9 source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb} source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: dnsapi.pdbz source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: FGERN.pdb source: fc0bc077_by_Libranalysis.dll
      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500164569.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdbKD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000019.00000003.369277067.0000000001022000.00000004.00000001.sdmp
      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: opengl32.pdbED source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: glu32.pdbrS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdbiD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdbqD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdbb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp
      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb}D source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdbxS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: rasapi32.pdbTS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdb? source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdbcD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.370801170.000000000101C000.00000004.00000001.sdmp
      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdb* source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdbwD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdbq source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb_ source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: powrprof.pdb_D source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000019.00000003.367163420.0000000001028000.00000004.00000001.sdmp
      Source: Binary string: combase.pdbk source: WerFault.exe, 00000019.00000003.500164569.00000000051A2000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: iphlpapi.pdb3 source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 193.200.130.181:443
      Source: Malware configuration extractorIPs: 95.138.161.226:2303
      Source: Malware configuration extractorIPs: 167.114.113.13:4125
      Source: Joe Sandbox ViewIP Address: 167.114.113.13 167.114.113.13
      Source: Joe Sandbox ViewIP Address: 95.138.161.226 95.138.161.226
      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
      Source: Joe Sandbox ViewASN Name: RACKSPACE-LONGB RACKSPACE-LONGB
      Source: Joe Sandbox ViewASN Name: CLOUD-MANAGEMENT-LLCUS CLOUD-MANAGEMENT-LLCUS

      E-Banking Fraud:

      barindex
      Yara detected Dridex unpacked fileShow sources
      Source: Yara matchFile source: 00000013.00000002.494169228.0000000010001000.00000020.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000149419_2_10001494
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1001146019_2_10011460
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000846C19_2_1000846C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000A52C19_2_1000A52C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10011D5819_2_10011D58
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1001934819_2_10019348
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1001075419_2_10010754
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_100090CC19_2_100090CC
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 760
      Source: fc0bc077_by_Libranalysis.dllBinary or memory string: OriginalFilenamej2pcsc.dllN vs fc0bc077_by_Libranalysis.dll
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal76.troj.evad.winDLL@21/7@0/3
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7032
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5480
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4836
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5800
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F18.tmpJump to behavior
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt
      Source: fc0bc077_by_Libranalysis.dllMetadefender: Detection: 21%
      Source: fc0bc077_by_Libranalysis.dllReversingLabs: Detection: 29%
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll'
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 760
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 928
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 580
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 752
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1Jump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYtJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNowJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObjectJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstanceJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameterJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancelJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1Jump to behavior
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.331722146.0000000005226000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.334059894.0000000004FAD000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.369277067.0000000001022000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503509731.00000000051A5000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: profapi.pdb, source: WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdbYD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.370801170.000000000101C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: opengl32.pdbe source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: setupapi.pdbw source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: bcrypt.pdb! source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdb[T source: WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdb- source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdbP source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb' source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: setupapi.pdbSD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdbLS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdbW~ source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdbY source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503509731.00000000051A5000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdb9 source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb} source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: dnsapi.pdbz source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: FGERN.pdb source: fc0bc077_by_Libranalysis.dll
      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500164569.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdbKD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000019.00000003.369277067.0000000001022000.00000004.00000001.sdmp
      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: opengl32.pdbED source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: glu32.pdbrS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdbiD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdbqD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdbb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp
      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb}D source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdbxS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: rasapi32.pdbTS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdb? source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdbcD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.370801170.000000000101C000.00000004.00000001.sdmp
      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdb* source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdbwD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdbq source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb_ source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: powrprof.pdb_D source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000019.00000003.367163420.0000000001028000.00000004.00000001.sdmp
      Source: Binary string: combase.pdbk source: WerFault.exe, 00000019.00000003.500164569.00000000051A2000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: iphlpapi.pdb3 source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000F6CC push esi; mov dword ptr [esp], 00000000h19_2_1000F6CD
      Source: initial sampleStatic PE information: section name: .text entropy: 7.5511794748
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
      Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
      Source: WerFault.exe, 0000001D.00000003.533135770.00000000010F7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW