Loading ...

Play interactive tourEdit tour

Analysis Report fc0bc077_by_Libranalysis

Overview

General Information

Sample Name:fc0bc077_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:404283
MD5:fc0bc07721ce94bc9b100e7c846a1210
SHA1:2d98f05fb78cd75bb44a0087bead8c1604545d07
SHA256:e707edac036a1a2d08b746c6a50ac0f0e2b1ba1c2668aadf87ea11b666b0eb28
Tags:Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5800 cmdline: loaddll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5496 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4836 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6728 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5480 cmdline: rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 7000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 928 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7032 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7100 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7136 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 776 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6232 cmdline: rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 580 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.494169228.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    19.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 19.2.rundll32.exe.10000000.3.unpackMalware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: fc0bc077_by_Libranalysis.dllMetadefender: Detection: 21%Perma Link
      Source: fc0bc077_by_Libranalysis.dllReversingLabs: Detection: 29%
      Machine Learning detection for sampleShow sources
      Source: fc0bc077_by_Libranalysis.dllJoe Sandbox ML: detected
      Source: 19.2.rundll32.exe.5b0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.331722146.0000000005226000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.334059894.0000000004FAD000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.369277067.0000000001022000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503509731.00000000051A5000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: profapi.pdb, source: WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdbYD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.370801170.000000000101C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: opengl32.pdbe source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: setupapi.pdbw source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: bcrypt.pdb! source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdb[T source: WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdb- source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdbP source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb' source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: setupapi.pdbSD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdbLS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdbW~ source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdbY source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503509731.00000000051A5000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdb9 source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb} source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: dnsapi.pdbz source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: FGERN.pdb source: fc0bc077_by_Libranalysis.dll
      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500164569.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdbKD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000019.00000003.369277067.0000000001022000.00000004.00000001.sdmp
      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: opengl32.pdbED source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: glu32.pdbrS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdbiD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdbqD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdbb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp
      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb}D source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdbxS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: rasapi32.pdbTS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdb? source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdbcD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.370801170.000000000101C000.00000004.00000001.sdmp
      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdb* source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdbwD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdbq source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb_ source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: powrprof.pdb_D source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000019.00000003.367163420.0000000001028000.00000004.00000001.sdmp
      Source: Binary string: combase.pdbk source: WerFault.exe, 00000019.00000003.500164569.00000000051A2000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: iphlpapi.pdb3 source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 193.200.130.181:443
      Source: Malware configuration extractorIPs: 95.138.161.226:2303
      Source: Malware configuration extractorIPs: 167.114.113.13:4125
      Source: Joe Sandbox ViewIP Address: 167.114.113.13 167.114.113.13
      Source: Joe Sandbox ViewIP Address: 95.138.161.226 95.138.161.226
      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
      Source: Joe Sandbox ViewASN Name: RACKSPACE-LONGB RACKSPACE-LONGB
      Source: Joe Sandbox ViewASN Name: CLOUD-MANAGEMENT-LLCUS CLOUD-MANAGEMENT-LLCUS

      E-Banking Fraud:

      barindex
      Yara detected Dridex unpacked fileShow sources
      Source: Yara matchFile source: 00000013.00000002.494169228.0000000010001000.00000020.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10001494
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10011460
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000846C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000A52C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10011D58
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10019348
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10010754
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_100090CC
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 760
      Source: fc0bc077_by_Libranalysis.dllBinary or memory string: OriginalFilenamej2pcsc.dllN vs fc0bc077_by_Libranalysis.dll
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal76.troj.evad.winDLL@21/7@0/3
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7032
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5480
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4836
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5800
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F18.tmpJump to behavior
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt
      Source: fc0bc077_by_Libranalysis.dllMetadefender: Detection: 21%
      Source: fc0bc077_by_Libranalysis.dllReversingLabs: Detection: 29%
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll'
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 760
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 928
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 580
      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 752
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: fc0bc077_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.331722146.0000000005226000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.334059894.0000000004FAD000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.369277067.0000000001022000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503509731.00000000051A5000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: profapi.pdb, source: WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdbYD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.370801170.000000000101C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: opengl32.pdbe source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: setupapi.pdbw source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: bcrypt.pdb! source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdb[T source: WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdb- source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdbP source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb' source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: setupapi.pdbSD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdbLS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: sfc_os.pdbW~ source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdbY source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.503509731.00000000051A5000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdb9 source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb} source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: dnsapi.pdbz source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: FGERN.pdb source: fc0bc077_by_Libranalysis.dll
      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500164569.00000000051A2000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdbKD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000019.00000003.369277067.0000000001022000.00000004.00000001.sdmp
      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: opengl32.pdbED source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: glu32.pdbrS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: sechost.pdbiD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdbqD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdbb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp
      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb}D source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: ClusApi.pdbxS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: rasapi32.pdbTS source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdb? source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wsspicli.pdbcD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000019.00000003.370801170.000000000101C000.00000004.00000001.sdmp
      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdb* source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wimm32.pdbwD source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500198406.00000000051A8000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.421354737.0000000001102000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdbq source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: combase.pdb_ source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: powrprof.pdb_D source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.341579027.0000000005800000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.427282782.0000000001100000.00000004.00000040.sdmp, WerFault.exe, 00000019.00000003.500131910.00000000051D1000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.518496498.0000000004E30000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000019.00000003.367163420.0000000001028000.00000004.00000001.sdmp
      Source: Binary string: combase.pdbk source: WerFault.exe, 00000019.00000003.500164569.00000000051A2000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.341585615.0000000005806000.00000004.00000040.sdmp, WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518534518.0000000004E36000.00000004.00000040.sdmp
      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.341568695.00000000056B1000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.418006776.0000000005441000.00000004.00000001.sdmp, WerFault.exe, 00000019.00000003.503071164.00000000051A0000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.518464201.0000000004E61000.00000004.00000001.sdmp
      Source: Binary string: iphlpapi.pdb3 source: WerFault.exe, 00000010.00000003.422693669.0000000001108000.00000004.00000040.sdmp
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_1000F6CC push esi; mov dword ptr [esp], 00000000h
      Source: initial sampleStatic PE information: section name: .text entropy: 7.5511794748
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
      Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\Testapp.EXE
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
      Source: WerFault.exe, 0000001D.00000003.533135770.00000000010F7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery111Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing3LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404283 Sample: fc0bc077_by_Libranalysis Startdate: 04/05/2021 Architecture: WINDOWS Score: 76 30 95.138.161.226 RACKSPACE-LONGB United Kingdom 2->30 32 167.114.113.13 OVHFR Canada 2->32 34 193.200.130.181 CLOUD-MANAGEMENT-LLCUS unknown 2->34 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Dridex unpacked file 2->40 42 2 other signatures 2->42 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 46 Tries to detect sandboxes / dynamic malware analysis system (file name check) 9->46 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        17 rundll32.exe 9->17         started        19 5 other processes 9->19 process6 signatures7 21 rundll32.exe 12->21         started        48 Tries to detect sandboxes / dynamic malware analysis system (file name check) 14->48 24 WerFault.exe 7 14->24         started        26 WerFault.exe 9 17->26         started        process8 signatures9 44 Tries to detect sandboxes / dynamic malware analysis system (file name check) 21->44 28 WerFault.exe 23 7 21->28         started        process10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      fc0bc077_by_Libranalysis.dll21%MetadefenderBrowse
      fc0bc077_by_Libranalysis.dll30%ReversingLabsWin32.Trojan.Wacatac
      fc0bc077_by_Libranalysis.dll100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      19.2.rundll32.exe.590607.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
      19.2.rundll32.exe.5b0000.2.unpack100%AviraTR/ATRAPS.Gen2Download File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      167.114.113.13
      unknownCanada
      16276OVHFRtrue
      95.138.161.226
      unknownUnited Kingdom
      15395RACKSPACE-LONGBtrue
      193.200.130.181
      unknownunknown
      42960CLOUD-MANAGEMENT-LLCUStrue

      General Information

      Joe Sandbox Version:32.0.0 Black Diamond
      Analysis ID:404283
      Start date:04.05.2021
      Start time:21:32:56
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 7s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:fc0bc077_by_Libranalysis (renamed file extension from none to dll)
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:32
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal76.troj.evad.winDLL@21/7@0/3
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 95.2% (good quality ratio 93.5%)
      • Quality average: 78.4%
      • Quality standard deviation: 25.7%
      HCA Information:
      • Successful, ratio: 75%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      Warnings:
      Show All
      • Report size exceeded maximum capacity and may have missing behavior information.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      21:34:37API Interceptor1x Sleep call for process: loaddll32.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      167.114.113.13e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
        8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
          d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
            9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
              edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                  64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                    8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                        c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                          9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                            457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                              edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                  af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                    64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                      c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                        c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                          b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                            af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                              95.138.161.226e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                  d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                        457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                          64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                            8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                              d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                    457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                        b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                          af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                            64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                              c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                  b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                    af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse

                                                                                      Domains

                                                                                      No context

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      RACKSPACE-LONGBe1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 95.138.161.226
                                                                                      CLOUD-MANAGEMENT-LLCUSe1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 193.200.130.181
                                                                                      OVHFRe1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      c85a75aa_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      b8dd7ed8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13
                                                                                      af1e75cf_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      • 167.114.113.13

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER58E4.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8382
                                                                                      Entropy (8bit):3.692806116875498
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNiU4616Y/k6rDgmf8GHS5CpBW89bwnhsfNwm:RrlsNiT616YM6rDgmf8US8wnafv
                                                                                      MD5:87D22F12DBDB2F159700C25E44D7BBE2
                                                                                      SHA1:4626A03A64F12D738E5B554AA26EA61982C7F290
                                                                                      SHA-256:015FA8D5B4E37F7C0F294FB4D7E1770805720833073E42EAFB831DBC0AAD67C8
                                                                                      SHA-512:CFB0DDEB4D1C07B60FF923E00CAF0EDCA0F23881A08580C3B3BD9F94704B90DD9EFC08E0A6AF42F66C2120C6F333579F7C5D7A6734336805FF2A98A694A1882E
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.8.0.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C49.tmp.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4766
                                                                                      Entropy (8bit):4.461586416167699
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zsQJgtWI9LTWSC8BX/8fm8M4JCdskN4fFiY+q8vjskN4yhV54SrSjd:uITfWkiSNKJ2N4jKrN40V5DWjd
                                                                                      MD5:4B7B1D196E97FE65F8D7D4A351A9D63B
                                                                                      SHA1:694854501C58379C4287E3C724E61970AABC78B0
                                                                                      SHA-256:EFC9F086B2EB8EB455805B1DFF7DDA61266709CC295E09442294DCD547BC5281
                                                                                      SHA-512:0C2087B087403D08A030A46408630F9B65BA6C33AD2FA1978BC809BCFD355E6EFA6E42649EC5B44C742D5A21D2410298D41CD6104CBB6FF2675EEAC2698AD609
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975706" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F18.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed May 5 04:34:39 2021, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):40228
                                                                                      Entropy (8bit):2.4948280065301587
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:I5OyvPAmrgBjAgXJgo/5IHP5TMfsMocwMEU7G3aLsGHrb71RMu/PfMNd9Zln:fCYQgBkgXJ9sPZJY2esGrbbH/Pa/n
                                                                                      MD5:B3C703888E53812262ED07B180BFC1A5
                                                                                      SHA1:3096346789F4544532DA8EC62677E3932D713B49
                                                                                      SHA-256:DC23C05FC18D6CDA16C850784E0D9FB7EE7BA6448CC028F9F8068273431FE6FE
                                                                                      SHA-512:892648D861ADDD1FED9B57F271323F44A725BB5F578B653AEDBC407169C4BDD0A09BC6A1E6BF04C1C81E5372B6800DA45B9491C62E2F99CBCC59D00ACCFA21E4
                                                                                      Malicious:false
                                                                                      Preview: MDMP....... ......._ .`...................U...........B......P ......GenuineIntelW...........T...........+ .`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERADCE.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Wed May 5 04:35:07 2021, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):49052
                                                                                      Entropy (8bit):2.30173230730282
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:UPIVjsfPTbCAbnzsgoZQKeuje5XOagyiIEpmzq9nZDxmuxS:qIVgfSSwgqHjsXngz5pp/a
                                                                                      MD5:066E444520FEFBA46B30B618412DCC7F
                                                                                      SHA1:B25BAC021E8B7777974C85E2DBAE9F347CACE85C
                                                                                      SHA-256:2202877BF640155BB85B986561A9BD5A7C96F3529DC59B928D31EDC700226122
                                                                                      SHA-512:E153981020D362338497BFBE29F5F66041F9AD064BAAAA4931952BD29528DCD60914214EB21F80347E9A91507C34DB9A3E8852A6111636D1799BB3BFB1576CEB
                                                                                      Malicious:false
                                                                                      Preview: MDMP....... .......{ .`...................U...........B......."......GenuineIntelW...........T.......h...+ .`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE7B.tmp.WERInternalMetadata.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8308
                                                                                      Entropy (8bit):3.701679402457719
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNik269r6YV+6OkgmfTHjSX8CprP89bSnYsfwTmm:RrlsNid6h6Y86OkgmfTHjSESnLfwb
                                                                                      MD5:6674D2BA58A6826CD1EB20E890CC9ADC
                                                                                      SHA1:3664890381B7FD8A5F79B2DD85777B34C66B48CE
                                                                                      SHA-256:19AE4DB3B3A388FB6B085586411AD4C7D061CC8DB5B5ECB5CC0F67710ECAC1C5
                                                                                      SHA-512:6FF3268B0F3855226A7D00DEF77504054CBA1E4A5D3F74C38FD6A95732E998B2AF2488129E540D5A4AA6898C7531455A5151C7AEACFA2F1DCD7335D3AA0EF476
                                                                                      Malicious:false
                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.3.6.<./.P.i.d.>.......
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1D7.tmp.xml
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4679
                                                                                      Entropy (8bit):4.511580448811392
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zs5JgtWI9LTWSC8BF8fm8M4JCdsnZFwpn+q8/3UwV54SrSYd:uITfLkiSNwJVspjwV5DWYd
                                                                                      MD5:A60A92E323E8DA233931E9A35B09C953
                                                                                      SHA1:97C145F6566B503E5264E13633EB0F306A0883B1
                                                                                      SHA-256:D9B578D4BC6DD62195E8282BDF51CA74B29D81C339E7148C4BD75FDFCCFE5C7E
                                                                                      SHA-512:1EDFEB3F77B909D17E3BC830719AA0F64C8516E786FAB407B2DAB97D301DE255A86268355B6FD7B2DC1C5D71A4927078112AF434C1B488DEAA1F7B5032F47F74
                                                                                      Malicious:false
                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975705" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF47C.tmp.dmp
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:empty
                                                                                      Category:dropped
                                                                                      Size (bytes):0
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3::
                                                                                      MD5:D41D8CD98F00B204E9800998ECF8427E
                                                                                      SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
                                                                                      SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
                                                                                      SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
                                                                                      Malicious:false
                                                                                      Preview:

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.53604314211802
                                                                                      TrID:
                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:fc0bc077_by_Libranalysis.dll
                                                                                      File size:164864
                                                                                      MD5:fc0bc07721ce94bc9b100e7c846a1210
                                                                                      SHA1:2d98f05fb78cd75bb44a0087bead8c1604545d07
                                                                                      SHA256:e707edac036a1a2d08b746c6a50ac0f0e2b1ba1c2668aadf87ea11b666b0eb28
                                                                                      SHA512:148d0dbd3b2cfa7a9182f073e13a83bbbf5cbce934b04366b539799007df341bf953308647f0bee16e351b3716f25e4e10c349dfda5bae70ded3cae208621b35
                                                                                      SSDEEP:3072:sC2X+QFg3UutDvUvoU8pz6EJEEhu6Tzace9kuaGA81/YXKHML/Vp8AF:MG3rUvoU4JE/Wzan9T7B/CKsL/Vy
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L..

                                                                                      File Icon

                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x100241a0
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x10000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x60903ADD [Mon May 3 18:03:09 2021 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:0
                                                                                      File Version Major:5
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f108efab351dd21acb187c36805c5bbe

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      mov edx, eax
                                                                                      xor eax, eax
                                                                                      add eax, 00002233h
                                                                                      cmpss xmm1, xmm2, 03h
                                                                                      sub eax, 00002233h
                                                                                      mov edx, 00000000h
                                                                                      mov edx, 00000000h
                                                                                      mov edx, 00000000h
                                                                                      mov edx, 00000000h
                                                                                      mov edx, 00000000h
                                                                                      mov edx, 00000000h
                                                                                      cmpss xmm1, xmm2, 03h
                                                                                      cmp eax, 01h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h
                                                                                      mov eax, 00000000h

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [RES] VS2012 UPD3 build 60610
                                                                                      • [LNK] VS2005 build 50727
                                                                                      • [EXP] VS2005 build 50727
                                                                                      • [ C ] VS2012 UPD4 build 61030
                                                                                      • [IMP] VS2013 UPD2 build 30501

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x277300x55.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x278040x59.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x3a0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2d0000x1220
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x100180x38.text
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x250000x60.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x233220x23400False0.759010693706data7.5511794748IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x250000x2e390x2c00False0.770774147727data7.47865520081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .pdata0x280000x336c0x1800False0.78564453125MMDF mailbox7.42299069747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x2c0000x48c0x400False0.4091796875data3.06807977608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x2d0000x2580x400False0.5263671875data4.16057022331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_VERSION0x2c0600x33cdata

                                                                                      Imports

                                                                                      DLLImport
                                                                                      msvcrt.dllmemset
                                                                                      ADVAPI32.dllRegOverridePredefKey
                                                                                      ole32.dllCreatePointerMoniker, CreateStreamOnHGlobal
                                                                                      USER32.dllTranslateMessage
                                                                                      OPENGL32.dllglTexSubImage1D
                                                                                      KERNEL32.dllCloseHandle, OutputDebugStringA, LoadLibraryExW, CreateFileW, GetProfileSectionW, LoadLibraryW, GetProfileSectionA, OpenSemaphoreW
                                                                                      RASAPI32.dllRasGetConnectionStatistics
                                                                                      CLUSAPI.dllClusterEnum

                                                                                      Exports

                                                                                      NameOrdinalAddress
                                                                                      LoxmtYt10x10027776

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      LegalCopyrightCopyright 2018
                                                                                      InternalNamej2pcsc
                                                                                      FileVersion8.0.1710.11
                                                                                      Full Version1.8.0_171-b11
                                                                                      CompanyNameOracle Corporation
                                                                                      ProductNameJava(TM) Platform SE 8
                                                                                      ProductVersion8.0.1710.11
                                                                                      FileDescriptionJava(TM) Platform SE binary
                                                                                      OriginalFilenamej2pcsc.dll
                                                                                      Translation0x0000 0x04b0

                                                                                      Network Behavior

                                                                                      No network behavior found

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Start time:21:33:46
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:loaddll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll'
                                                                                      Imagebase:0xf90000
                                                                                      File size:116736 bytes
                                                                                      MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:33:46
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
                                                                                      Imagebase:0x870000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:33:47
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll,LoxmtYt
                                                                                      Imagebase:0x10d0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:33:47
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',#1
                                                                                      Imagebase:0x10d0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:31
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 760
                                                                                      Imagebase:0x1200000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:34
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 928
                                                                                      Imagebase:0x1200000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:35
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllCanUnloadNow
                                                                                      Imagebase:0x10d0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:35
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',DllGetClassObject
                                                                                      Imagebase:0x10d0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000013.00000002.494169228.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:35
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddFileToInstance
                                                                                      Imagebase:0x10d0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:36
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiAddParameter
                                                                                      Imagebase:0x10d0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:36
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\fc0bc077_by_Libranalysis.dll',WdiCancel
                                                                                      Imagebase:0x10d0000
                                                                                      File size:61952 bytes
                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:21:34:40
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 580
                                                                                      Imagebase:0x1200000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Start time:21:35:41
                                                                                      Start date:04/05/2021
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 752
                                                                                      Imagebase:0x1200000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >