Analysis Report 3c271eae_by_Libranalysis.dll

Overview

General Information

Sample Name:	3c271eae_by_Libranalysis.dll
Analysis ID:	404285
MD5:	3c271eae5a3a2817cfd8704f75fdf405
SHA1:	03b821b5d8b5416900245a05fce8541a21b6da7c
SHA256:	dbd00287fe0c78430fee81ec6333b9c9b1863b7c62ac305de627ce6ca9fb314e
Tags:	Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 15.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Multi AV Scanner detection for submitted file

Source: 3c271eae_by_Libranalysis.dll	Metadefender: Detection: 21%			Perma Link
Source: 3c271eae_by_Libranalysis.dll	ReversingLabs: Detection: 27%

Machine Learning detection for sample

Source: 3c271eae_by_Libranalysis.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 17.2.rundll32.exe.7b0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 15.2.rundll32.exe.560000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.b40000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.2.rundll32.exe.9e0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.850000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 18.2.rundll32.exe.d90000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.2.rundll32.exe.b90000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.2.rundll32.exe.2fc0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2

Compliance:

Uses 32bit PE files

Source: 3c271eae_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 3c271eae_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: dnsapi.pdbF source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbnq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.592752094.00000000047CB000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb#dc source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb, source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb~ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbl source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb3 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb' source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb8 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbX source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbv source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbx source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbA source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbO source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbi source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb] source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb@q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb/d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbW source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb[ source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb\| source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb\|, source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb5 source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: FGERN.pdb source: 3c271eae_by_Libranalysis.dll
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbhq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbc source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.574931083.0000000000632000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb)d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb2 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb\|q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbR source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb& source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbT source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdbt source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb=d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.423735765.0000000002A8C000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.588684577.000000000338D000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb* source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbpq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbbq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb\|% source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbq source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.423542715.0000000002A86000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbe source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588185425.0000000002EA7000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp
Source:	Binary string: rasapi32.pdbvq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 193.200.130.181:443
Source: Malware configuration extractor	IPs: 95.138.161.226:2303
Source: Malware configuration extractor	IPs: 167.114.113.13:4125

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 167.114.113.13 167.114.113.13
Source: Joe Sandbox View	IP Address: 95.138.161.226 95.138.161.226

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: RACKSPACE-LONGB RACKSPACE-LONGB

Source: WerFault.exe, 0000001C.00000003.648753130.0000000005092000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: WerFault.exe, 0000001B.00000003.645645354.0000000004C20000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro8
Source: WerFault.exe, 0000001E.00000003.646412621.0000000002A79000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microH

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000010.00000002.578383295.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.659180073.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599608439.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.660063361.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.578360981.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.663523541.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 15.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001494	3_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011460	3_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000846C	3_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000A52C	3_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011D58	3_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019348	3_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010754	3_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100090CC	3_2_100090CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 764

Sample file is different than original file name gathered from version info

Source: 3c271eae_by_Libranalysis.dll

Binary or memory string: OriginalFilenamej2pcsc.dllN vs 3c271eae_by_Libranalysis.dll

Uses 32bit PE files

Source: 3c271eae_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Yara signature match

Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_1790f1d2\Report.wer, type: DROPPED	Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_01d168c7\Report.wer, type: DROPPED	Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =

Source: 3c271eae_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.evad.winDLL@22/20@0/3

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5492
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5100
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5648
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess644
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6004

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD297.tmp

Jump to behavior

Source: 3c271eae_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt

Source: 3c271eae_by_Libranalysis.dll	Metadefender: Detection: 21%
Source: 3c271eae_by_Libranalysis.dll	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 764
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 888
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 752
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 756
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1	Jump to behavior

Source: 3c271eae_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 3c271eae_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dnsapi.pdbF source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbnq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.592752094.00000000047CB000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb#dc source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb, source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb~ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbl source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb3 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb' source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb8 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbX source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbv source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbx source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbA source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbO source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbi source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb] source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb@q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb/d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbW source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb[ source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb\| source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb\|, source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb5 source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: FGERN.pdb source: 3c271eae_by_Libranalysis.dll
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbhq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbc source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.574931083.0000000000632000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb)d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb2 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb\|q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbR source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb& source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbT source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdbt source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb=d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.423735765.0000000002A8C000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.588684577.000000000338D000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb* source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbpq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbbq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb\|% source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbq source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.423542715.0000000002A86000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbe source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588185425.0000000002EA7000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp
Source:	Binary string: rasapi32.pdbvq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h

3_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.5511794748

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000001B.00000003.640882384.0000000004C76000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: WerFault.exe, 00000009.00000002.590399877.0000000004B42000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.649430287.0000000002E5D000.00000004.00000020.sdmp, WerFault.exe, 0000001C.00000002.652211709.0000000003350000.00000004.00000020.sdmp, WerFault.exe, 0000001E.00000002.653157247.00000000047BF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000001B.00000003.645667418.0000000004C76000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0w
Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_10006D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_10006D50

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
167.114.113.13	unknown	Canada	16276	OVHFR	true
95.138.161.226	unknown	United Kingdom	15395	RACKSPACE-LONGB	true
193.200.130.181	unknown	unknown	42960	CLOUD-MANAGEMENT-LLCUS	true

AV Detection:

Found malware configuration

Source: 15.2.rundll32.exe.10000000.3.unpack

Multi AV Scanner detection for submitted file

Source: 3c271eae_by_Libranalysis.dll	Metadefender: Detection: 21%			Perma Link
Source: 3c271eae_by_Libranalysis.dll	ReversingLabs: Detection: 27%

Machine Learning detection for sample

Source: 3c271eae_by_Libranalysis.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 17.2.rundll32.exe.7b0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 15.2.rundll32.exe.560000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.b40000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 16.2.rundll32.exe.9e0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.2.rundll32.exe.850000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 18.2.rundll32.exe.d90000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.2.rundll32.exe.b90000.1.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 2.2.rundll32.exe.2fc0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2

Compliance:

Uses 32bit PE files

Source: 3c271eae_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 3c271eae_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: dnsapi.pdbF source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbnq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.592752094.00000000047CB000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb#dc source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb, source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb~ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbl source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb3 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb' source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb8 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbX source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbv source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbx source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbA source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbO source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbi source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb] source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb@q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb/d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbW source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb[ source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb\| source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb\|, source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb5 source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: FGERN.pdb source: 3c271eae_by_Libranalysis.dll
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbhq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbc source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.574931083.0000000000632000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb)d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb2 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb\|q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbR source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb& source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbT source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdbt source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb=d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.423735765.0000000002A8C000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.588684577.000000000338D000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb* source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbpq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbbq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb\|% source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbq source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.423542715.0000000002A86000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbe source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588185425.0000000002EA7000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp
Source:	Binary string: rasapi32.pdbvq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 193.200.130.181:443
Source: Malware configuration extractor	IPs: 95.138.161.226:2303
Source: Malware configuration extractor	IPs: 167.114.113.13:4125

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 167.114.113.13 167.114.113.13
Source: Joe Sandbox View	IP Address: 95.138.161.226 95.138.161.226

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: RACKSPACE-LONGB RACKSPACE-LONGB

Source: WerFault.exe, 0000001C.00000003.648753130.0000000005092000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: WerFault.exe, 0000001B.00000003.645645354.0000000004C20000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro8
Source: WerFault.exe, 0000001E.00000003.646412621.0000000002A79000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microH

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000010.00000002.578383295.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.659180073.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.599608439.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.660063361.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.578360981.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.663523541.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 15.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10001494	3_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011460	3_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000846C	3_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_1000A52C	3_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10011D58	3_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10019348	3_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_10010754	3_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_100090CC	3_2_100090CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 764

Sample file is different than original file name gathered from version info

Source: 3c271eae_by_Libranalysis.dll

Binary or memory string: OriginalFilenamej2pcsc.dllN vs 3c271eae_by_Libranalysis.dll

Uses 32bit PE files

Source: 3c271eae_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Yara signature match

Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_1790f1d2\Report.wer, type: DROPPED	Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_01d168c7\Report.wer, type: DROPPED	Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =

Source: 3c271eae_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.evad.winDLL@22/20@0/3

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5492
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5100
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5648
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess644
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6004

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD297.tmp

Jump to behavior

Source: 3c271eae_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt

Source: 3c271eae_by_Libranalysis.dll	Metadefender: Detection: 21%
Source: 3c271eae_by_Libranalysis.dll	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 764
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 888
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 752
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 756
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1	Jump to behavior

Source: 3c271eae_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 3c271eae_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: dnsapi.pdbF source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbnq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.592752094.00000000047CB000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb#dc source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb, source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb! source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb~ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbl source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb3 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb' source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb8 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbX source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdbv source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdbx source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbA source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbO source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbi source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb] source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb@q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb/d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbW source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb[ source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb\| source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb\|, source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb5 source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: FGERN.pdb source: 3c271eae_by_Libranalysis.dll
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbhq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbc source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.574931083.0000000000632000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb)d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb2 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb\|q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdbR source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb& source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbT source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: ClusApi.pdbt source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb=d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.423735765.0000000002A8C000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.588684577.000000000338D000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb* source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbpq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbbq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb\|% source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb5 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbq source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.423542715.0000000002A86000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbe source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588185425.0000000002EA7000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp
Source:	Binary string: rasapi32.pdbvq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h

3_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.5511794748

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\Testapp.EXE	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000001B.00000003.640882384.0000000004C76000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: WerFault.exe, 00000009.00000002.590399877.0000000004B42000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.649430287.0000000002E5D000.00000004.00000020.sdmp, WerFault.exe, 0000001C.00000002.652211709.0000000003350000.00000004.00000020.sdmp, WerFault.exe, 0000001E.00000002.653157247.00000000047BF000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000001B.00000003.645667418.0000000004C76000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0w
Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_10006D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_10006D50

ID:	404285
Product:	CloudBasic
Start time:	21:43:32
Start date:	04.05.2021
Sample:	3c271eae_by_Libranalysis.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3c271eae5a3a2817cfd8704f75fdf405
SHA1:	03b821b5d8b5416900245a05fce8541a21b6da7c
SHA256:	dbd00287fe0c78430fee81ec6333b9c9b1863b7c62ac305de627ce6ca9fb314e
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_01d168c7\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	724CCCDCE7BF8F97A60967AEB8111DE6	BFBCAE117AE6E6CECD4A564767D32A772240E5A0	5724C11002177C1830D8176BE7AA1F22DA948D78D0EC71A536349FBBED525E75
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_1790f1d2\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	7530591422F53CC1FD077A04534DEC56	D099A6A1FAA5C93F97D3DC47F4D9C27BD4A473A4	1C6C55583AA7C845837F1F4E5B9CD06EF94E640B4BDF7A47B68A565B75EA50C6
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_0d9d6e75\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	F4088892FA938EA3AC2CC5C718E5A5F5	9C133CE8CCD50EA62C2120455FCA2B87A5B43042	F3CE5AC21DF90EE7416BB7D4BBA3606984FC1283FDED0828FED58182416C94E2
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_83abab8e5de515701b774b3934596496ffb63d4d_82810a17_0eed6a2f\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	F02B93D088D2D548E34121FCA71FAAB7	CC484C674374B3C49E129F99BDBD9E6C35C46E90	B8003577F9C2418806B88CE1CF2757A7F46AD0C137045DF329C5CF1728C0275E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a448481dbb8c9a9489f46034d2e685b2c21_82810a17_1770e3a9\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	C6DC5076C1B4604BF453651DD5156567	6C37188D7683072F9D61FD071B126725084FC135	06065D782D8ECEE8C02CE1E66AE3BA1EF3CAAAFF013EC13B544C9B8B05154475
C:\ProgramData\Microsoft\Windows\WER\Temp\WER124B.tmp.dmp	Mini DuMP crash report, 14 streams, Wed May 5 04:46:33 2021, 0x1205a4 type	7592E8F98EAF1DE5AACF4B081F7010A4	2A83381D133E627050ECF6C984CEC7777C036BBF	B973D9C8C08ADD96ECF9379A25CB134DE694D48DD948F3E9A51686CF1C145F44
C:\ProgramData\Microsoft\Windows\WER\Temp\WER20E2.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	82B5E03C68F377CA1E5FE46EFDAC4E41	91BC2F95C61249C6AB4BA0AEB93EF2257658647B	F5D06F79B983F4DACA827E9E1155BAFB0DDD33DDE80F4E0F88DA355AD959FF52
C:\ProgramData\Microsoft\Windows\WER\Temp\WER21DC.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D8D0D9EB233F7D0CE0909DFC3616B206	20186014EDB629408F5BE5D0AC0C466EA0F27210	61A83221C1946D824C84D566509E7564DDE4B6A39C8FFF6514AF6617407ADDE0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER26FD.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	470C1E96BEE156A062DDE62D8435D310	89C617EF3C62ECA7228B3161C3D598227DEEBB27	D14C4BB23C64B668D544B0FFB33C6C184CDAF9F48A04558EA4018C81F961D24C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER28E2.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3CB9BF8336F79A1243614ACDCB7B901D	9F59777788190EE43E91A9056E44A205A07098B2	FB259A95651A8222A525D7DA15E4C0C4B9828EACAC54BA8957D99B562C558804
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A78.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9F86FC9C535E79F32537AFEB7432AE5E	FA337B5D24A5151260E108F8D7EC07BB7FF4EEAF	D2917708CF408C4C9ECC26E60C48D151EF2BD1CB271BDED2DEEAAFE74B45184D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E9F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5F34BADDF704E0C19ED61E95A50164B2	831A553F2D51811CF929EEBD57B71CC012909D8B	A9C3BD9F857F8BA8AD740E1C32ED904A7A72A475DA1BE76DD208F7BEFD721573
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C34.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D0D48E867190FEF33C4EC93599EE7236	1ED0223B64CAC7416EF012A7DC737A347748ED3B	93BA0C3504952309EBD3E828BC44125A251B2DB160ACB48D681C62A1445E1544
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3C.tmp.dmp	Mini DuMP crash report, 14 streams, Wed May 5 04:46:32 2021, 0x1205a4 type	F1B20BA22EC2FE38048280D950EDCE82	1E3B2955A9E560EE97182E617C89F63C08C11F4B	16D1BD28E4333671A7A421DF747354FA88D2CD012C890B7AB0090A06CCA2AC6E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9A.tmp.dmp	Mini DuMP crash report, 14 streams, Wed May 5 04:46:32 2021, 0x1205a4 type	E2C483FCC5CD117D788E226ED78ABB25	04687084B826DCA42AF99E69595914B54DC171F9	7040A60F327DEC3968C136C04F1F813D4FF820FBB1D7B6003CB62894A95BEAAE
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC9E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	61A3B9E9244E5ADB693EF83182A97244	327C01A90273B9050DB2C746A0C0A8924D7C17ED	09AF9862375B99D07C49E333BE55C892EF134AD5BB9C841415F861193CBFFE46
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD297.tmp.dmp	Mini DuMP crash report, 14 streams, Wed May 5 04:45:09 2021, 0x1205a4 type	1F94E0357AE69E7BF1C8316AE7B079B6	2E71C1751BE1E5C8424CC8C0C3740037871D18B3	ED5B9F848DFC048A23D0DD2D19C73F983C9508464ACCD3339462D39674909330
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAA6.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 5 04:45:46 2021, 0x1205a4 type	E2A7589DFC0C956D519D7CDA94EF8900	40D4B4B4D783AB9566562C6B581722E31F9DA776	D7A3A4EF2CE2A1C25ECAF78882224BB4B655051B3910BB5FCCB48C82B38EB92D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB33.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	64FC71E88C6C88DC7A6BCE356C3EECDD	14CEC9501131E4BF711ACC12F76D3F0291DF0F68	2FA10800B23975ACD6348CD3CD10D45B6C85C1C022C956816AC410EA9818B604
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEDE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5432E39FD66DC753FD3F44CA058D0A51	70FB355F21179D604E91E7A4CAF8011E16DBA733	74709CE080DFEDD9738E984D6A656796BB24831B19711E172F4165EBE9E822D1

Analysis Report 3c271eae_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs