Loading ...

Play interactive tourEdit tour

Analysis Report 3c271eae_by_Libranalysis

Overview

General Information

Sample Name:3c271eae_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:404285
MD5:3c271eae5a3a2817cfd8704f75fdf405
SHA1:03b821b5d8b5416900245a05fce8541a21b6da7c
SHA256:dbd00287fe0c78430fee81ec6333b9c9b1863b7c62ac305de627ce6ca9fb314e
Tags:Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 7108 cmdline: loaddll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 7124 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7144 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 760 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7132 cmdline: rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 928 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6496 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6564 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6600 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5624 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 744 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 6976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 588 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_7584c961c6fefb28629a227a579a8cc1f481e81d_82810a17_1806e157\Report.werSUSP_WER_Critical_HeapCorruptionDetects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)Florian Roth
  • 0x11c:$a1: ReportIdentifier=
  • 0x19e:$a1: ReportIdentifier=
  • 0x77a:$a2: .Name=Fault Module Name
  • 0x928:$s1: c0000374

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.933498628.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    0000000D.00000002.932757910.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000001.00000002.929835817.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000004.00000002.933327968.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.loaddll32.exe.10000000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            15.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              4.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                13.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 1.2.loaddll32.exe.10000000.2.unpackMalware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 3c271eae_by_Libranalysis.dllMetadefender: Detection: 21%Perma Link
                  Source: 3c271eae_by_Libranalysis.dllReversingLabs: Detection: 27%
                  Machine Learning detection for sampleShow sources
                  Source: 3c271eae_by_Libranalysis.dllJoe Sandbox ML: detected
                  Source: 15.2.rundll32.exe.31b0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                  Source: 13.2.rundll32.exe.c00000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                  Source: 1.2.loaddll32.exe.580000.1.unpackAvira: Label: TR/ATRAPS.Gen2
                  Source: 4.2.rundll32.exe.5a0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                  Source: 3c271eae_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: 3c271eae_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.732940731.0000000000A45000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736721982.0000000003752000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.783765282.00000000052A0000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926913116.0000000005675000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: dnsapi.pdb5S source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.734585712.0000000000A3F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736372515.000000000374C000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: opengl32.pdbf source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb@ source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdbt source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdbN source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdbe source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdbP source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wkernel32.pdb_ source: WerFault.exe, 00000011.00000002.934165093.00000000052A2000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.733841780.0000000000A4B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736729941.0000000003758000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb. source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdbw source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdbH source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdbGS source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdbQS source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.816014446.0000000005AE5000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdbM source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: opengl32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb- source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdbx source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdbo source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ole32.pdb\ source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926913116.0000000005675000.00000004.00000040.sdmp
                  Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000011.00000002.928673597.0000000001072000.00000004.00000001.sdmp
                  Source: Binary string: rasapi32.pdbY source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: glu32.pdbG source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp
                  Source: Binary string: profapi.pdb~ source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdbr source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: opengl32.pdbwS source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: FGERN.pdb source: 3c271eae_by_Libranalysis.dll
                  Source: Binary string: advapi32.pdbN source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdbV source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdbx source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926659853.0000000005672000.00000004.00000040.sdmp
                  Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.732940731.0000000000A45000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736721982.0000000003752000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.791534182.00000000012A1000.00000004.00000001.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736367252.0000000003746000.00000004.00000001.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdbA source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: KERNEL32C:\Windows\System32\KERNEL32.DLLC:\Windows\System32\KERNEL32.DLLRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.928673597.0000000001072000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdbV source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: glu32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.816014446.0000000005AE5000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdbe source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdbS source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdbD source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb( source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.734585712.0000000000A3F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736372515.000000000374C000.00000004.00000001.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdbZ source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp
                  Source: Binary string: bcrypt.pdbb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb( source: WerFault.exe, 00000007.00000003.732917274.0000000000A39000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736367252.0000000003746000.00000004.00000001.sdmp
                  Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb}2> source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb]S source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb+ source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb?S source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb!S source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: sfc_os.pdbl source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdbeS source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.733841780.0000000000A4B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736729941.0000000003758000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.811134617.00000000012A7000.00000004.00000001.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.926659853.0000000005672000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdbZ source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 193.200.130.181:443
                  Source: Malware configuration extractorIPs: 95.138.161.226:2303
                  Source: Malware configuration extractorIPs: 167.114.113.13:4125
                  Source: Joe Sandbox ViewIP Address: 167.114.113.13 167.114.113.13
                  Source: Joe Sandbox ViewIP Address: 95.138.161.226 95.138.161.226
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: Joe Sandbox ViewASN Name: RACKSPACE-LONGB RACKSPACE-LONGB
                  Source: WerFault.exe, 00000007.00000003.888034392.0000000004976000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro

                  E-Banking Fraud:

                  barindex
                  Yara detected Dridex unpacked fileShow sources
                  Source: Yara matchFile source: 0000000F.00000002.933498628.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.932757910.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.929835817.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.933327968.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100014941_2_10001494
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100114601_2_10011460
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000846C1_2_1000846C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000A52C1_2_1000A52C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10011D581_2_10011D58
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100193481_2_10019348
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100107541_2_10010754
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100090CC1_2_100090CC
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 760
                  Source: 3c271eae_by_Libranalysis.dllBinary or memory string: OriginalFilenamej2pcsc.dllN vs 3c271eae_by_Libranalysis.dll
                  Source: 3c271eae_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_7584c961c6fefb28629a227a579a8cc1f481e81d_82810a17_1806e157\Report.wer, type: DROPPEDMatched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
                  Source: 3c271eae_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal76.troj.evad.winDLL@20/9@0/3
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7132
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7144
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7108
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC9B.tmpJump to behavior
                  Source: 3c271eae_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt
                  Source: 3c271eae_by_Libranalysis.dllMetadefender: Detection: 21%
                  Source: 3c271eae_by_Libranalysis.dllReversingLabs: Detection: 27%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll'
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 760
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 928
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7108 -s 588
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYtJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNowJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObjectJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstanceJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameterJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancelJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1Jump to behavior
                  Source: 3c271eae_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: 3c271eae_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.732940731.0000000000A45000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736721982.0000000003752000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.783765282.00000000052A0000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926913116.0000000005675000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: dnsapi.pdb5S source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: WerFault.exe, 00000007.00000003.734585712.0000000000A3F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736372515.000000000374C000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: opengl32.pdbf source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb@ source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdbt source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdbN source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdbe source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdbP source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wkernel32.pdb_ source: WerFault.exe, 00000011.00000002.934165093.00000000052A2000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.733841780.0000000000A4B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736729941.0000000003758000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb. source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdbw source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdbH source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdbGS source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdbQS source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.816014446.0000000005AE5000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdbM source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: opengl32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb- source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdbx source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: nsi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: Binary string: ntmarta.pdbo source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ole32.pdb\ source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926913116.0000000005675000.00000004.00000040.sdmp
                  Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000011.00000002.928673597.0000000001072000.00000004.00000001.sdmp
                  Source: Binary string: rasapi32.pdbY source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: glu32.pdbG source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp
                  Source: Binary string: profapi.pdb~ source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdbr source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: opengl32.pdbwS source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: FGERN.pdb source: 3c271eae_by_Libranalysis.dll
                  Source: Binary string: advapi32.pdbN source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdbV source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdbx source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926659853.0000000005672000.00000004.00000040.sdmp
                  Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.732940731.0000000000A45000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736721982.0000000003752000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.791534182.00000000012A1000.00000004.00000001.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736367252.0000000003746000.00000004.00000001.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdbA source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: KERNEL32C:\Windows\System32\KERNEL32.DLLC:\Windows\System32\KERNEL32.DLLRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.928673597.0000000001072000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdbV source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: glu32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.816014446.0000000005AE5000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdbe source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdbS source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdbD source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb( source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.734585712.0000000000A3F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736372515.000000000374C000.00000004.00000001.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdbZ source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rasman.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.808991952.0000000005AE2000.00000004.00000040.sdmp
                  Source: Binary string: bcrypt.pdbb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb( source: WerFault.exe, 00000007.00000003.732917274.0000000000A39000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736367252.0000000003746000.00000004.00000001.sdmp
                  Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb}2> source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: ClusApi.pdb]S source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb+ source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb?S source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb!S source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: sfc_os.pdbl source: WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: wimm32.pdbeS source: WerFault.exe, 00000011.00000003.926946031.0000000005678000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.733841780.0000000000A4B000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.736729941.0000000003758000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.811134617.00000000012A7000.00000004.00000001.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.739554715.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.815252847.0000000005AE0000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.926637905.0000000005871000.00000004.00000001.sdmp
                  Source: Binary string: combase.pdbk source: WerFault.exe, 00000011.00000003.926659853.0000000005672000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.810520936.0000000005AE8000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdbZ source: WerFault.exe, 00000007.00000003.739561126.0000000004EE6000.00000004.00000040.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.739537983.0000000004D51000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.805767429.0000000005901000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.926884946.0000000005670000.00000004.00000040.sdmp
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000F6CC push esi; mov dword ptr [esp], 00000000h1_2_1000F6CD
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.5511794748
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXEJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                  Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                  Source: WerFault.exe, 00000007.00000002.922410876.00000000012D0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.934188762.0000000005320000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: WerFault.exe, 00000007.00000002.927600121.0000000004A44000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: WerFault.exe, 00000007.00000002.922410876.00000000012D0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.934188762.0000000005320000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: WerFault.exe, 00000007.00000002.922410876.00000000012D0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.934188762.0000000005320000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: WerFault.exe, 00000007.00000002.927600121.0000000004A44000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWb
                  Source: WerFault.exe, 00000007.00000002.922410876.00000000012D0000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.934188762.0000000005320000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.