Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 3c271eae_by_Libranalysis.dll

Overview

General Information

Sample Name:3c271eae_by_Libranalysis.dll
Analysis ID:404285
MD5:3c271eae5a3a2817cfd8704f75fdf405
SHA1:03b821b5d8b5416900245a05fce8541a21b6da7c
SHA256:dbd00287fe0c78430fee81ec6333b9c9b1863b7c62ac305de627ce6ca9fb314e
Tags:Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 4240 cmdline: loaddll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5632 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5648 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 6092 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5100 cmdline: rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5932 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 888 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 644 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 752 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6004 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 2908 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5332 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5492 cmdline: rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 764 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_1790f1d2\Report.werSUSP_WER_Critical_HeapCorruptionDetects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)Florian Roth
  • 0x11c:$a1: ReportIdentifier=
  • 0x19e:$a1: ReportIdentifier=
  • 0x77c:$a2: .Name=Fault Module Name
  • 0x92a:$s1: c0000374
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_01d168c7\Report.werSUSP_WER_Critical_HeapCorruptionDetects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation)Florian Roth
  • 0x11c:$a1: ReportIdentifier=
  • 0x19e:$a1: ReportIdentifier=
  • 0x77a:$a2: .Name=Fault Module Name
  • 0x928:$s1: c0000374

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.578383295.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    0000000D.00000002.659180073.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000003.00000002.599608439.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000012.00000002.660063361.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          00000011.00000002.578360981.0000000010001000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              13.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                16.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  17.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    18.2.rundll32.exe.10000000.3.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.rundll32.exe.10000000.3.unpackMalware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["193.200.130.181:443", "95.138.161.226:2303", "167.114.113.13:4125"], "RC4 keys": ["MqW38NQIO70GhjGOOvjtl5AwyenW6A8fcZ", "xeMr6QHn7uRk1D2ChU8OuyaRFUZJZZHUIgxCzaPXtOkjmhTMtNxfWU8nlnD7q009ahEI51R1"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 3c271eae_by_Libranalysis.dllMetadefender: Detection: 21%Perma Link
                      Source: 3c271eae_by_Libranalysis.dllReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: 3c271eae_by_Libranalysis.dllJoe Sandbox ML: detected
                      Source: 17.2.rundll32.exe.7b0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 15.2.rundll32.exe.560000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 0.2.loaddll32.exe.b40000.1.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 16.2.rundll32.exe.9e0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.2.rundll32.exe.850000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 18.2.rundll32.exe.d90000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 13.2.rundll32.exe.b90000.1.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 2.2.rundll32.exe.2fc0000.2.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3c271eae_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: 3c271eae_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: dnsapi.pdbF source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdbnq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.592752094.00000000047CB000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb#dc source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb, source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb! source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb~ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdbl source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb3 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb' source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbX source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdbv source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdbx source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbA source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbO source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbi source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb] source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb@q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb/d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbW source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb[ source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb| source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb|, source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb5 source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: FGERN.pdb source: 3c271eae_by_Libranalysis.dll
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbhq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdbc source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.574931083.0000000000632000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb)d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb2 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb|q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdbR source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb& source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbT source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdbt source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb3 source: WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb=d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.423735765.0000000002A8C000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.588684577.000000000338D000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb* source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbpq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbbq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb|% source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb5 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbq source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.423542715.0000000002A86000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbe source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588185425.0000000002EA7000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp
                      Source: Binary string: rasapi32.pdbvq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 193.200.130.181:443
                      Source: Malware configuration extractorIPs: 95.138.161.226:2303
                      Source: Malware configuration extractorIPs: 167.114.113.13:4125
                      Source: Joe Sandbox ViewIP Address: 167.114.113.13 167.114.113.13
                      Source: Joe Sandbox ViewIP Address: 95.138.161.226 95.138.161.226
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: RACKSPACE-LONGB RACKSPACE-LONGB
                      Source: WerFault.exe, 0000001C.00000003.648753130.0000000005092000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
                      Source: WerFault.exe, 0000001B.00000003.645645354.0000000004C20000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro8
                      Source: WerFault.exe, 0000001E.00000003.646412621.0000000002A79000.00000004.00000001.sdmpString found in binary or memory: http://crl.microH

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 00000010.00000002.578383295.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.659180073.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.599608439.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.660063361.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.578360981.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.663523541.0000000010001000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011460
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000846C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000A52C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011D58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10019348
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100090CC
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 764
                      Source: 3c271eae_by_Libranalysis.dllBinary or memory string: OriginalFilenamej2pcsc.dllN vs 3c271eae_by_Libranalysis.dll
                      Source: 3c271eae_by_Libranalysis.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_1790f1d2\Report.wer, type: DROPPEDMatched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
                      Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_01d168c7\Report.wer, type: DROPPEDMatched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
                      Source: 3c271eae_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal76.troj.evad.winDLL@22/20@0/3
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5492
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5100
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5648
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess644
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6004
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD297.tmpJump to behavior
                      Source: 3c271eae_by_Libranalysis.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt
                      Source: 3c271eae_by_Libranalysis.dllMetadefender: Detection: 21%
                      Source: 3c271eae_by_Libranalysis.dllReversingLabs: Detection: 27%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 764
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 888
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 752
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 756
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 764
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                      Source: 3c271eae_by_Libranalysis.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 3c271eae_by_Libranalysis.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: dnsapi.pdbF source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdbnq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.592752094.00000000047CB000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb#dc source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb, source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb! source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb~ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdbl source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb3 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb' source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb8 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbX source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdbv source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdbx source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbA source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbO source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbi source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb] source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb@q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb/d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdbW source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb[ source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb| source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb|, source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: opengl32.pdb5 source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: FGERN.pdb source: 3c271eae_by_Libranalysis.dll
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.424911525.0000000002A92000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.590103743.0000000002EA1000.00000004.00000001.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbhq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdbc source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb+ source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000C.00000002.574931083.0000000000632000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb)d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb2 source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb|q source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdbR source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb& source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbT source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: ClusApi.pdbt source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb3 source: WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb=d source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.423735765.0000000002A8C000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588098874.0000000002E9B000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.588684577.000000000338D000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb* source: WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: dnsapi.pdbpq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbbq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.511740943.0000000004DE2000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb|% source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb0 source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb5 source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbq source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.423542715.0000000002A86000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588054272.0000000002E95000.00000004.00000001.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdbe source: WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.427375651.0000000005180000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.517865960.0000000004DE0000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605811960.00000000051C0000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606439459.00000000055B0000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609305997.0000000004C30000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.423591311.0000000002A98000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.588185425.0000000002EA7000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.589251650.0000000003399000.00000004.00000001.sdmp
                      Source: Binary string: rasapi32.pdbvq source: WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.427384192.0000000005186000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.513207382.0000000004DE8000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.605850778.00000000051C6000.00000004.00000040.sdmp, WerFault.exe, 0000001C.00000003.606466131.00000000055B6000.00000004.00000040.sdmp, WerFault.exe, 0000001E.00000003.609386178.0000000004C36000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.427340993.0000000004FF1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.508553143.0000000004E11000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.605759791.00000000051F1000.00000004.00000001.sdmp, WerFault.exe, 0000001C.00000003.606391797.00000000055E1000.00000004.00000001.sdmp, WerFault.exe, 0000001E.00000003.609217077.0000000004C61000.00000004.00000001.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.5511794748
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes / dynamic malware analysis system (file name check)Show sources
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: \KnownDlls32\Testapp.EXE
                      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
                      Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: WerFault.exe, 0000001B.00000003.640882384.0000000004C76000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
                      Source: WerFault.exe, 00000009.00000002.590399877.0000000004B42000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.649430287.0000000002E5D000.00000004.00000020.sdmp, WerFault.exe, 0000001C.00000002.652211709.0000000003350000.00000004.00000020.sdmp, WerFault.exe, 0000001E.00000002.653157247.00000000047BF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: WerFault.exe, 0000001B.00000003.645667418.0000000004C76000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0w
                      Source: WerFault.exe, 00000009.00000002.590600572.0000000004D60000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.576175012.0000000004AA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.652189195.0000000004C80000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.655711395.0000000005180000.00000002.00000001.sdmp, WerFault.exe, 0000001E.00000002.653365977.00000000049D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Virtualization/Sandbox Evasion11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection11LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing3LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404285 Sample: 3c271eae_by_Libranalysis.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 76 34 95.138.161.226 RACKSPACE-LONGB United Kingdom 2->34 36 167.114.113.13 OVHFR Canada 2->36 38 193.200.130.181 CLOUD-MANAGEMENT-LLCUS unknown 2->38 40 Found malware configuration 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Dridex unpacked file 2->44 46 2 other signatures 2->46 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 50 Tries to detect sandboxes / dynamic malware analysis system (file name check) 9->50 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        17 rundll32.exe 9->17         started        19 4 other processes 9->19 process6 signatures7 21 rundll32.exe 12->21         started        52 Tries to detect sandboxes / dynamic malware analysis system (file name check) 14->52 24 WerFault.exe 9 14->24         started        26 WerFault.exe 2 9 17->26         started        28 WerFault.exe 9 19->28         started        30 WerFault.exe 9 19->30         started        process8 signatures9 48 Tries to detect sandboxes / dynamic malware analysis system (file name check) 21->48 32 WerFault.exe 23 9 21->32         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      3c271eae_by_Libranalysis.dll21%MetadefenderBrowse
                      3c271eae_by_Libranalysis.dll28%ReversingLabsWin32.Trojan.Wacatac
                      3c271eae_by_Libranalysis.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      17.2.rundll32.exe.7b0000.2.unpack100%AviraTR/ATRAPS.Gen2Download File
                      2.2.rundll32.exe.2fa0607.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.rundll32.exe.560000.2.unpack100%AviraTR/ATRAPS.Gen2Download File
                      0.2.loaddll32.exe.b40000.1.unpack100%AviraTR/ATRAPS.Gen2Download File
                      3.2.rundll32.exe.830607.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.rundll32.exe.790607.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.loaddll32.exe.a40607.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.rundll32.exe.9e0000.2.unpack100%AviraTR/ATRAPS.Gen2Download File
                      13.2.rundll32.exe.bb0607.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.rundll32.exe.540607.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.rundll32.exe.d70607.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.850000.2.unpack100%AviraTR/ATRAPS.Gen2Download File
                      18.2.rundll32.exe.d90000.2.unpack100%AviraTR/ATRAPS.Gen2Download File
                      13.2.rundll32.exe.b90000.1.unpack100%AviraTR/ATRAPS.Gen2Download File
                      16.2.rundll32.exe.9b0607.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.rundll32.exe.2fc0000.2.unpack100%AviraTR/ATRAPS.Gen2Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crl.micro0%URL Reputationsafe
                      http://crl.micro0%URL Reputationsafe
                      http://crl.micro0%URL Reputationsafe
                      http://crl.micro0%URL Reputationsafe
                      http://crl.micro80%Avira URL Cloudsafe
                      http://crl.microH0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.microWerFault.exe, 0000001C.00000003.648753130.0000000005092000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.micro8WerFault.exe, 0000001B.00000003.645645354.0000000004C20000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.microHWerFault.exe, 0000001E.00000003.646412621.0000000002A79000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      167.114.113.13
                      		unknownCanada
                      		16276OVHFRtrue
                      95.138.161.226
                      		unknownUnited Kingdom
                      		15395RACKSPACE-LONGBtrue
                      193.200.130.181
                      		unknownunknown
                      		42960CLOUD-MANAGEMENT-LLCUStrue

                      General Information

                      Joe Sandbox Version:32.0.0 Black Diamond
                      Analysis ID:404285
                      Start date:04.05.2021
                      Start time:21:43:32
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 10m 11s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:3c271eae_by_Libranalysis.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:40
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal76.troj.evad.winDLL@22/20@0/3
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 99.1% (good quality ratio 91.7%)
                      • Quality average: 74.8%
                      • Quality standard deviation: 31.3%
                      HCA Information:
                      • Successful, ratio: 68%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                      • Found application associated with file extension: .dll
                      Warnings:
                      Show All
                      • Excluded IPs from analysis (whitelisted): 104.43.193.48, 184.87.213.153, 13.64.90.137, 93.184.221.240, 52.255.188.83, 40.88.32.150, 40.126.31.5, 20.190.159.131, 40.126.31.9, 20.190.159.133, 40.126.31.138, 40.126.31.3, 40.126.31.7, 40.126.31.142, 20.82.209.104, 8.248.149.254, 67.27.158.254, 67.26.139.254, 67.27.159.126, 67.26.137.254, 23.57.80.111, 52.147.198.201, 40.126.31.137, 40.126.31.8, 40.126.31.139, 20.190.159.138, 40.126.31.1, 20.190.159.132, 40.126.31.4, 20.190.159.134, 92.122.213.247, 92.122.213.194, 20.82.210.154, 104.43.139.144, 52.155.217.156, 20.54.26.129
                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, login.live.com, cs11.wpc.v0cdn.net, audownload.windowsupdate.nsatc.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                      • Report size exceeded maximum capacity and may have missing behavior information.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      167.114.113.13fc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                        e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                          577e66d4_by_Libranalysis.dllGet hashmaliciousBrowse
                            b8fe43e6_by_Libranalysis.dllGet hashmaliciousBrowse
                              f845ef61_by_Libranalysis.dllGet hashmaliciousBrowse
                                3c271eae_by_Libranalysis.dllGet hashmaliciousBrowse
                                  fc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                    e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                        d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                          9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                            edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                              457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                  8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                    d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                        9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                          457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                            edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                              95.138.161.2263138bf3b_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                fc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                  e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                    577e66d4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                      b8fe43e6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                        f845ef61_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                          3c271eae_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                            fc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                              e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                  d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                    9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                        457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                          64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                            8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                              d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                  9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                    457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse

                                                                                                      Domains

                                                                                                      No context

                                                                                                      ASN

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      RACKSPACE-LONGB3138bf3b_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      fc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      577e66d4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      b8fe43e6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      f845ef61_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      3c271eae_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      fc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 95.138.161.226
                                                                                                      OVHFRfc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      577e66d4_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      b8fe43e6_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      f845ef61_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      3c271eae_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      fc0bc077_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      e1c88b94_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      64b8ed95_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      8743016c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      d8417415_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      c977c96e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      9a46403f_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      457aedfd_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13
                                                                                                      edae86a8_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                      • 167.114.113.13

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_01d168c7\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12694
                                                                                                      Entropy (8bit):3.772676232741872
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:mmih0oXnRH4+V/Ojed+GoR/u7srS274ItWce:PiPXnh4+VGjew/u7srX4ItWce
                                                                                                      MD5:724CCCDCE7BF8F97A60967AEB8111DE6
                                                                                                      SHA1:BFBCAE117AE6E6CECD4A564767D32A772240E5A0
                                                                                                      SHA-256:5724C11002177C1830D8176BE7AA1F22DA948D78D0EC71A536349FBBED525E75
                                                                                                      SHA-512:3C05C5E16887C57D261EE50DB231F923BAE1E71887C5FB8626FCBF680B4D66049EC9075327C5DD76CE628BEFC1BD59A89FC1FD4D0301BF315959B885871574A3
                                                                                                      Malicious:false
                                                                                                      Yara Hits:
                                                                                                      • Rule: SUSP_WER_Critical_HeapCorruption, Description: Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_01d168c7\Report.wer, Author: Florian Roth
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.8.7.0.4.7.7.5.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.6.0.8.0.0.0.8.2.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.b.a.f.8.b.e.-.5.d.8.5.-.4.b.9.7.-.8.0.2.6.-.4.2.5.b.7.4.3.7.e.0.6.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.9.c.b.9.f.c.-.0.4.c.f.-.4.0.8.8.-.a.f.4.1.-.a.2.4.7.1.c.3.8.6.8.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.8.4.-.0.0.0.1.-.0.0.1.7.-.b.4.8.5.-.c.2.6.c.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_1790f1d2\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12702
                                                                                                      Entropy (8bit):3.7726119025378333
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Cmi90oXoRH4+V/Ojed+GgR/u7sQS274ItWcV:ziTXoh4+VGjeI/u7sQX4ItWcV
                                                                                                      MD5:7530591422F53CC1FD077A04534DEC56
                                                                                                      SHA1:D099A6A1FAA5C93F97D3DC47F4D9C27BD4A473A4
                                                                                                      SHA-256:1C6C55583AA7C845837F1F4E5B9CD06EF94E640B4BDF7A47B68A565B75EA50C6
                                                                                                      SHA-512:7C09F011821183050BC09CDCE2D6BE44822A6DEC5E930AEE5BBC2037EDDC0F11AE7A05874DCEAF4213C510230C659E03F14E8DF74F6D5F210224055A294501FB
                                                                                                      Malicious:false
                                                                                                      Yara Hits:
                                                                                                      • Rule: SUSP_WER_Critical_HeapCorruption, Description: Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1d91dafffd792f9b512ff42d10d3dd5f24a3f5de_82810a17_1790f1d2\Report.wer, Author: Florian Roth
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.0.7.2.5.9.4.4.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.5.7.7.6.5.7.1.6.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.5.9.7.d.3.0.-.7.9.4.7.-.4.9.e.0.-.b.4.3.0.-.8.a.d.5.f.7.1.5.4.6.b.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.a.5.0.9.4.c.-.c.b.d.2.-.4.7.d.b.-.9.0.6.8.-.2.8.4.b.9.6.6.d.9.3.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.1.0.-.0.0.0.1.-.0.0.1.7.-.0.3.8.9.-.5.8.5.1.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_0d9d6e75\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12772
                                                                                                      Entropy (8bit):3.7713623140181887
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:oZByWig0oXjHBUZMX4jed+GYR/u7srS274It7c9:ITi2XjBUZMX4jeg/u7srX4It7c9
                                                                                                      MD5:F4088892FA938EA3AC2CC5C718E5A5F5
                                                                                                      SHA1:9C133CE8CCD50EA62C2120455FCA2B87A5B43042
                                                                                                      SHA-256:F3CE5AC21DF90EE7416BB7D4BBA3606984FC1283FDED0828FED58182416C94E2
                                                                                                      SHA-512:DAEB3A9828DE54758C1AEC938308B3670CEAADB43BA0E42A0AC884423AE835328434EB5E56163F1BD2C9A00C4FFDFD1241888DACB99B0FA8232EAE5980034F85
                                                                                                      Malicious:false
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.8.7.1.4.1.4.9.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.6.0.9.3.9.1.3.9.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.5.5.6.e.5.f.-.e.2.b.d.-.4.9.c.c.-.a.2.d.5.-.2.f.3.b.2.3.c.b.4.c.f.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.1.6.9.d.a.b.-.b.b.f.2.-.4.1.8.8.-.b.2.5.f.-.1.3.1.b.6.4.d.9.1.1.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.7.4.-.0.0.0.1.-.0.0.1.7.-.9.a.4.3.-.e.b.6.c.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_83abab8e5de515701b774b3934596496ffb63d4d_82810a17_0eed6a2f\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12688
                                                                                                      Entropy (8bit):3.765666500931055
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:mXid0oXLEHBUZMX4jed+GgR/u7srS274ItWco:eizXwBUZMX4jeI/u7srX4ItWco
                                                                                                      MD5:F02B93D088D2D548E34121FCA71FAAB7
                                                                                                      SHA1:CC484C674374B3C49E129F99BDBD9E6C35C46E90
                                                                                                      SHA-256:B8003577F9C2418806B88CE1CF2757A7F46AD0C137045DF329C5CF1728C0275E
                                                                                                      SHA-512:F4747795415B355C5D39FCC43B07402A36B03BCC983DBDE9B33C8511A26E0CB7C64F15E7589333F05BFE0DDA0346430D96B61A6B92E1F463D380AF1C21955591
                                                                                                      Malicious:false
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.8.9.0.6.3.3.5.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.4.6.6.3.6.0.9.8.1.3.2.6.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.0.2.6.7.f.7.-.3.d.6.5.-.4.2.7.1.-.8.f.2.c.-.5.3.e.a.1.6.4.9.b.c.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.d.2.b.f.5.a.-.0.e.4.c.-.4.4.9.8.-.b.3.2.8.-.4.e.a.0.5.9.8.2.6.f.c.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.7.4.-.0.0.0.1.-.0.0.1.7.-.a.d.7.0.-.7.e.6.d.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a448481dbb8c9a9489f46034d2e685b2c21_82810a17_1770e3a9\Report.wer
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):12868
                                                                                                      Entropy (8bit):3.756967753187539
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:+iW0oXSFHVzOMjed+GA8/u7sQS274It7cy:+iQXYVzOMje1/u7sQX4It7cy
                                                                                                      MD5:C6DC5076C1B4604BF453651DD5156567
                                                                                                      SHA1:6C37188D7683072F9D61FD071B126725084FC135
                                                                                                      SHA-256:06065D782D8ECEE8C02CE1E66AE3BA1EF3CAAAFF013EC13B544C9B8B05154475
                                                                                                      SHA-512:4D64D55260752E5E0B6B70548285D0B4ED30A8FA05B2796C568CBD70A42E172F7CF972A3243A9A4966058F2BAF9D2C27AEACDC0158A469B27C0D4B3E9BF416FB
                                                                                                      Malicious:false
                                                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.4.6.6.3.5.0.9.3.2.1.9.3.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.5.6.b.6.1.2.-.5.3.f.1.-.4.6.9.5.-.b.a.2.a.-.f.8.8.e.4.8.4.4.9.6.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.2.6.c.7.f.a.-.9.6.f.4.-.4.f.c.f.-.a.7.6.7.-.e.5.c.8.d.1.c.d.8.c.d.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.e.c.-.0.0.0.1.-.0.0.1.7.-.d.4.1.b.-.5.0.5.1.6.9.4.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER124B.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed May 5 04:46:33 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):41020
                                                                                                      Entropy (8bit):2.459409118085861
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:0mPXShZfZsGwuT23XecTocwMM7NPJeWwH6vhTPuHpFnSj:0uCwuT23zdSxesvVWf8
                                                                                                      MD5:7592E8F98EAF1DE5AACF4B081F7010A4
                                                                                                      SHA1:2A83381D133E627050ECF6C984CEC7777C036BBF
                                                                                                      SHA-256:B973D9C8C08ADD96ECF9379A25CB134DE694D48DD948F3E9A51686CF1C145F44
                                                                                                      SHA-512:EC42BF8F3DA0737498EC2963F6535F19D289EF799FF5A56017F95C0983DADB8AB3126ACC05FDEA148B3B61BBA54EA43F7A6D3EB2EC6ABE3D8E830CA0CDD3C731
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... .......)#.`...................U...........B......P ......GenuineIntelW...........T.......t....".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER20E2.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8324
                                                                                                      Entropy (8bit):3.7023747472610182
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNijH69D6YY56DscgmfTHPSXPCpr289blTsf33m:RrlsNij6Z6Ym6DscgmfTHPSol4fm
                                                                                                      MD5:82B5E03C68F377CA1E5FE46EFDAC4E41
                                                                                                      SHA1:91BC2F95C61249C6AB4BA0AEB93EF2257658647B
                                                                                                      SHA-256:F5D06F79B983F4DACA827E9E1155BAFB0DDD33DDE80F4E0F88DA355AD959FF52
                                                                                                      SHA-512:B8A15813B9388539B5A0EFED0F2B8E26AEEED0B3B8F470208B11CD7FAF80B641277508A37D0BC7AB8B6D92952B4EB093E30D16A6ACBB85873D823D5A5F40262F
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.4.<./.P.i.d.>.........
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER21DC.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8382
                                                                                                      Entropy (8bit):3.696186966396553
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNi8MJ6CE6YY76Dscgmf8eSBCpr+89blOsfdByT3m:RrlsNiR6p6YE6Dscgmf8eSulNfzn
                                                                                                      MD5:D8D0D9EB233F7D0CE0909DFC3616B206
                                                                                                      SHA1:20186014EDB629408F5BE5D0AC0C466EA0F27210
                                                                                                      SHA-256:61A83221C1946D824C84D566509E7564DDE4B6A39C8FFF6514AF6617407ADDE0
                                                                                                      SHA-512:64E9026B5E5D39F5B5550D16EA022B4154E0A6BEC89F7652491410CD1A6C70F06E30AD14306BAE5313BC14DE1530B5D3FA5AC6F6559CC98E5A40C5179904B68B
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.0.4.<./.P.i.d.>.......
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER26FD.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8314
                                                                                                      Entropy (8bit):3.695750618505511
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNi3o6y6YYL6DscgmfTP1SBCpr289bqNsfPOm:RrlsNiY6y6YU6DscgmfTdSWqGfP
                                                                                                      MD5:470C1E96BEE156A062DDE62D8435D310
                                                                                                      SHA1:89C617EF3C62ECA7228B3161C3D598227DEEBB27
                                                                                                      SHA-256:D14C4BB23C64B668D544B0FFB33C6C184CDAF9F48A04558EA4018C81F961D24C
                                                                                                      SHA-512:7EE5AFCD1B1B31E0464AFB5454F09AD769D7180B8B83019238E05E3EA32968BAD1D77FB97326A389C51FFFDEA5C663EA1B16CA0FC60C1695A4EB3C3696BA8C36
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.9.2.<./.P.i.d.>.......
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER28E2.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4679
                                                                                                      Entropy (8bit):4.510297553914381
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zsWJgtWI9WorWSC8B68fm8M4JCdsrZF2+q8/3U14SrSid:uITfsZJSNRJpCv1DWid
                                                                                                      MD5:3CB9BF8336F79A1243614ACDCB7B901D
                                                                                                      SHA1:9F59777788190EE43E91A9056E44A205A07098B2
                                                                                                      SHA-256:FB259A95651A8222A525D7DA15E4C0C4B9828EACAC54BA8957D99B562C558804
                                                                                                      SHA-512:9FB654627FFC7BDA053E9C27E8AEE248AAE3656BE3360BDB870DF2BDE2EA9EFC6F45A372000AC5DEF446DDA262E61503099F143BC533AAAF1DE5B659815B901F
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975717" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A78.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4770
                                                                                                      Entropy (8bit):4.486548222415271
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zsWJgtWI9WorWSC8BW8fm8M4JCds0MFu+q8vjs0p4SrSXd:uITfsZJSNxJyvKtpDWXd
                                                                                                      MD5:9F86FC9C535E79F32537AFEB7432AE5E
                                                                                                      SHA1:FA337B5D24A5151260E108F8D7EC07BB7FF4EEAF
                                                                                                      SHA-256:D2917708CF408C4C9ECC26E60C48D151EF2BD1CB271BDED2DEEAAFE74B45184D
                                                                                                      SHA-512:99888571E3D7EBF6440795209174B61A172279747F35BFF09B151E12FB18C6007410D0C7507A5ABB06F030E1AA10659A7589869B726017FBD0BE4C1E27E0DF41
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975717" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E9F.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4665
                                                                                                      Entropy (8bit):4.474115912012678
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zsWJgtWI9WorWSC8BNs8fm8M4JCdspN4nsFn+q8/0NGgRZ4SrSVMd:uITfsZJSNRJrN4GbNGmDWVMd
                                                                                                      MD5:5F34BADDF704E0C19ED61E95A50164B2
                                                                                                      SHA1:831A553F2D51811CF929EEBD57B71CC012909D8B
                                                                                                      SHA-256:A9C3BD9F857F8BA8AD740E1C32ED904A7A72A475DA1BE76DD208F7BEFD721573
                                                                                                      SHA-512:09A41A36B98075679FAE50F5007E43F1A3393B7046DFE4E5DE3F322775EC1376658B851189C93F597856D5D995D372CCD7A6591FBDEAD9A1CC2F87CAACAA9050
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975717" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C34.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8380
                                                                                                      Entropy (8bit):3.6895608569089764
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNiB96V46YY26Dscgmf8PHSqCpBd89bK/sfNum:RrlsNir6K6YR6Dscgmf8fSqKkf9
                                                                                                      MD5:D0D48E867190FEF33C4EC93599EE7236
                                                                                                      SHA1:1ED0223B64CAC7416EF012A7DC737A347748ED3B
                                                                                                      SHA-256:93BA0C3504952309EBD3E828BC44125A251B2DB160ACB48D681C62A1445E1544
                                                                                                      SHA-512:128D722D362084D4727205B0AD99964449F380C4F75C2FE98EBB232EA742005317738B220A3EA8C81986E4F82CA17B6E64BC2A4BB4ACCC175086C3DAAE8C1DD4
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.0.0.<./.P.i.d.>.......
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3C.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed May 5 04:46:32 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):39784
                                                                                                      Entropy (8bit):2.512658691380758
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:AFH/L6Sq9rwV2zGXtPOcTocwMM7NPJeE46YX8zlr6nAk:iTS9rwVtbdSxeD6Q8zl2Ak
                                                                                                      MD5:F1B20BA22EC2FE38048280D950EDCE82
                                                                                                      SHA1:1E3B2955A9E560EE97182E617C89F63C08C11F4B
                                                                                                      SHA-256:16D1BD28E4333671A7A421DF747354FA88D2CD012C890B7AB0090A06CCA2AC6E
                                                                                                      SHA-512:170F90B1B3CE74E3EB51DECAE33A5BC55BDC4E70DFFE3AEA33F4D4474318FB8B349FA052BF2AF588C77408B799CAAF7D24E099E5AD26AB397CAD78F7451411A8
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... .......(#.`...................U...........B......P ......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9A.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed May 5 04:46:32 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):46196
                                                                                                      Entropy (8bit):2.216521304178328
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:59IK6GUHevqBZyY8S9eMDB0mWt2dGogDAy1/au2n/w65:5yrvsqBZyY8Sp90j2dGb1OI65
                                                                                                      MD5:E2C483FCC5CD117D788E226ED78ABB25
                                                                                                      SHA1:04687084B826DCA42AF99E69595914B54DC171F9
                                                                                                      SHA-256:7040A60F327DEC3968C136C04F1F813D4FF820FBB1D7B6003CB62894A95BEAAE
                                                                                                      SHA-512:B42ECDFB25CB1EB037C06A065A3D49C6E249E623C1432E3CAFBDCEC0769ED5913C0F950F6A7EAB1DE1987753443024FBFAE46220B93575C5F1AB2526569D1A17
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... .......(#.`...................U...........B....... ......GenuineIntelW...........T.......t....".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC9E.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4766
                                                                                                      Entropy (8bit):4.458124164007583
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zstJgtWI9WorWSC8B08fm8M4JCdspN4fFSI+q8vjspN424SrSyd:uITfHZJSNPJrN4JK6N42DWyd
                                                                                                      MD5:61A3B9E9244E5ADB693EF83182A97244
                                                                                                      SHA1:327C01A90273B9050DB2C746A0C0A8924D7C17ED
                                                                                                      SHA-256:09AF9862375B99D07C49E333BE55C892EF134AD5BB9C841415F861193CBFFE46
                                                                                                      SHA-512:B79FC224A54751BC5129F6A2F58091EF1138661366534B81DBBAC1C3A86E7D368767E2016026D1468C3DE8A6A12BBA54CA12ADCB8AFAB12E0A6D3D99177B6C27
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975716" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD297.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 14 streams, Wed May 5 04:45:09 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):38640
                                                                                                      Entropy (8bit):2.560424035051431
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:fQaDDzd0HEhAQX5B7+s0MbocTocwMM7NPJe6et5zhcC7ezna:nbGQX5B7gsRdSxevzhma
                                                                                                      MD5:1F94E0357AE69E7BF1C8316AE7B079B6
                                                                                                      SHA1:2E71C1751BE1E5C8424CC8C0C3740037871D18B3
                                                                                                      SHA-256:ED5B9F848DFC048A23D0DD2D19C73F983C9508464ACCD3339462D39674909330
                                                                                                      SHA-512:BF105E7EEC06E47A72BE6703260C762438F9344AFB8831637ADD6AD6B1E424EEBEC1946AFC2773B26CB84F921A689C50AA6710AABA99FD3B0E72783D1ACC2F1D
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... ........".`...................U...........B......P ......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAA6.tmp.dmp
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:Mini DuMP crash report, 15 streams, Wed May 5 04:45:46 2021, 0x1205a4 type
                                                                                                      Category:dropped
                                                                                                      Size (bytes):47604
                                                                                                      Entropy (8bit):2.380802761970886
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:NOR2hQ9V50u04DGX8smXQZZM6zwV9kp/uBU+nLujdGe:E5S1mkZMwp2Ue6f
                                                                                                      MD5:E2A7589DFC0C956D519D7CDA94EF8900
                                                                                                      SHA1:40D4B4B4D783AB9566562C6B581722E31F9DA776
                                                                                                      SHA-256:D7A3A4EF2CE2A1C25ECAF78882224BB4B655051B3910BB5FCCB48C82B38EB92D
                                                                                                      SHA-512:77EEDF7251133BD5AABEF84C434C40F8F6D1D52C646F3BC6A7EBEF4BE761F3D7CA3023EE5D0EFDF4A8B8C15F862FA5836E8CC5B0DAE61492FFD8C211795D5FCD
                                                                                                      Malicious:false
                                                                                                      Preview: MDMP....... ........".`...................U...........B......."......GenuineIntelW...........T............".`.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB33.tmp.WERInternalMetadata.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8308
                                                                                                      Entropy (8bit):3.700743413389048
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Rrl7r3GLNiCD69a6Y5G6czgmfTHPSXPCprT89b/fsfCVm:RrlsNie6Q6YY6czgmfTHPST/Ef5
                                                                                                      MD5:64FC71E88C6C88DC7A6BCE356C3EECDD
                                                                                                      SHA1:14CEC9501131E4BF711ACC12F76D3F0291DF0F68
                                                                                                      SHA-256:2FA10800B23975ACD6348CD3CD10D45B6C85C1C022C956816AC410EA9818B604
                                                                                                      SHA-512:ACE2A3F524FCF5D125745FAC94C7AB0EEB7C25FC8BC546A48771B68641AEEF2E679B0D6831D3CCD98A84F542B1CA0D64328E540D7F3FA34BFBBB48C76AC536FF
                                                                                                      Malicious:false
                                                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.4.8.<./.P.i.d.>.......
                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEDE.tmp.xml
                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4679
                                                                                                      Entropy (8bit):4.511228149576569
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:cvIwSD8zsEJgtWI9WorWSC8BU8fm8M4JCdsrZF1hXP+q8/3UYTK4SrS8ad:uITfCZJSN/JpBlPvYGDW/d
                                                                                                      MD5:5432E39FD66DC753FD3F44CA058D0A51
                                                                                                      SHA1:70FB355F21179D604E91E7A4CAF8011E16DBA733
                                                                                                      SHA-256:74709CE080DFEDD9738E984D6A656796BB24831B19711E172F4165EBE9E822D1
                                                                                                      SHA-512:BCBA04250937DF23115E4572ED746EC16777BE8B417C7F60EE2A6E1F1B3AC45FFB0A0D84D514FF8DAA17FC4310DFB96AA6F4B0BA2996EC888EC0BE5C6996E134
                                                                                                      Malicious:false
                                                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="975715" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):7.536021869806777
                                                                                                      TrID:
                                                                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                      • DOS Executable Generic (2002/1) 0.20%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:3c271eae_by_Libranalysis.dll
                                                                                                      File size:164864
                                                                                                      MD5:3c271eae5a3a2817cfd8704f75fdf405
                                                                                                      SHA1:03b821b5d8b5416900245a05fce8541a21b6da7c
                                                                                                      SHA256:dbd00287fe0c78430fee81ec6333b9c9b1863b7c62ac305de627ce6ca9fb314e
                                                                                                      SHA512:163821fc746739988241c8c39cde90bd479bece8d27df80916edc990957bcbf709f168de2d23704c2d01f9cfe011d4e2dd04f755834e43a423f37ff199d6497b
                                                                                                      SSDEEP:3072:sk2X+QFg3UutDvUvoU8pz6EJEEhu6Tzace9kuaGA81/YXKHML/Yp8AF:yG3rUvoU4JE/Wzan9T7B/CKsL/Yy
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t.%.0zK.0zK.0zK.0zJ.}{K...3..{K.....P{K...3..zK.V....zK...1..{K......zK.Rich0zK.........................................PE..L..

                                                                                                      File Icon

                                                                                                      Icon Hash:74f0e4ecccdce0e4

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x100241a0
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x10000000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                      Time Stamp:0x60903ADD [Mon May 3 18:03:09 2021 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:5
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:5
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:5
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f108efab351dd21acb187c36805c5bbe

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      mov edx, eax
                                                                                                      xor eax, eax
                                                                                                      add eax, 00002233h
                                                                                                      cmpss xmm1, xmm2, 03h
                                                                                                      sub eax, 00002233h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      mov edx, 00000000h
                                                                                                      cmpss xmm1, xmm2, 03h
                                                                                                      cmp eax, 01h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h
                                                                                                      mov eax, 00000000h

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [RES] VS2012 UPD3 build 60610
                                                                                                      • [LNK] VS2005 build 50727
                                                                                                      • [EXP] VS2005 build 50727
                                                                                                      • [ C ] VS2012 UPD4 build 61030
                                                                                                      • [IMP] VS2013 UPD2 build 30501

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x277300x55.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x278040x59.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x3a0.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2d0000x1220
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x100180x38.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x250000x60.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x233220x23400False0.759010693706data7.5511794748IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x250000x2ab40x2c00False0.770774147727data7.47863118679IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .pdata0x280000x37da0x1800False0.78564453125MMDF mailbox7.42299069747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x2c0000x3a00x400False0.4091796875data3.06807977608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x2d0000x2580x400False0.5263671875data4.16057022331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_VERSION0x2c0600x33cdata

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      msvcrt.dllmemset
                                                                                                      ADVAPI32.dllRegOverridePredefKey
                                                                                                      ole32.dllCreatePointerMoniker, CreateStreamOnHGlobal
                                                                                                      USER32.dllTranslateMessage
                                                                                                      OPENGL32.dllglTexSubImage1D
                                                                                                      KERNEL32.dllCloseHandle, OutputDebugStringA, LoadLibraryExW, CreateFileW, GetProfileSectionW, LoadLibraryW, GetProfileSectionA, OpenSemaphoreW
                                                                                                      RASAPI32.dllRasGetConnectionStatistics
                                                                                                      CLUSAPI.dllClusterEnum

                                                                                                      Exports

                                                                                                      NameOrdinalAddress
                                                                                                      LoxmtYt10x10027776

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      LegalCopyrightCopyright 2018
                                                                                                      InternalNamej2pcsc
                                                                                                      FileVersion8.0.1710.11
                                                                                                      Full Version1.8.0_171-b11
                                                                                                      CompanyNameOracle Corporation
                                                                                                      ProductNameJava(TM) Platform SE 8
                                                                                                      ProductVersion8.0.1710.11
                                                                                                      FileDescriptionJava(TM) Platform SE binary
                                                                                                      OriginalFilenamej2pcsc.dll
                                                                                                      Translation0x0000 0x04b0

                                                                                                      Network Behavior

                                                                                                      Network Port Distribution

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      May 4, 2021 21:44:14.526757002 CEST5507453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:14.575486898 CEST53550748.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:14.751502037 CEST5451353192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:14.809906006 CEST53545138.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:15.445355892 CEST6204453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:15.494009972 CEST53620448.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:16.374154091 CEST6379153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:16.425174952 CEST53637918.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:17.264143944 CEST6426753192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:17.321329117 CEST53642678.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:18.235455036 CEST4944853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:18.293767929 CEST53494488.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:19.609390020 CEST6034253192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:19.661343098 CEST53603428.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:20.732441902 CEST6134653192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:20.781251907 CEST53613468.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:21.216137886 CEST5177453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:21.285295963 CEST53517748.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:21.667448997 CEST5602353192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:21.717058897 CEST53560238.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:44:22.792475939 CEST5838453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:44:22.845525026 CEST53583848.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:04.272495031 CEST6026153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:04.324301004 CEST53602618.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:05.092786074 CEST5606153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:05.151158094 CEST53560618.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:05.669657946 CEST5833653192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:05.726613045 CEST53583368.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:05.910166979 CEST5378153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:05.915132999 CEST5406453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:05.958775043 CEST53537818.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:05.963886976 CEST53540648.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:06.893409967 CEST5281153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:06.946862936 CEST53528118.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:08.544219017 CEST5529953192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:08.600963116 CEST53552998.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:08.701235056 CEST6374553192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:08.749883890 CEST53637458.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:45:09.874303102 CEST5005553192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:45:09.923393011 CEST53500558.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:02.174242020 CEST6137453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:02.233520985 CEST53613748.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:11.093945026 CEST5033953192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:11.143449068 CEST53503398.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:17.638186932 CEST6330753192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:17.695493937 CEST53633078.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:18.778915882 CEST4969453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:18.827673912 CEST53496948.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:19.348090887 CEST5498253192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:19.396893024 CEST53549828.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:24.240775108 CEST5001053192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:24.333915949 CEST53500108.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:24.819046974 CEST6371853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:24.876785994 CEST53637188.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:25.367489100 CEST6211653192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:25.427855015 CEST53621168.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:25.885755062 CEST6381653192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:25.945226908 CEST53638168.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:26.413902998 CEST5501453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:26.473494053 CEST53550148.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:27.473649025 CEST6220853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:27.534251928 CEST53622088.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:27.925471067 CEST5757453192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:27.974205017 CEST53575748.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:49.367012978 CEST5181853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:49.415895939 CEST53518188.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:50.807249069 CEST5662853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:50.861068964 CEST53566288.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:50.895876884 CEST6077853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:50.944536924 CEST53607788.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:46:52.432234049 CEST5379953192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:46:52.497481108 CEST53537998.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:08.948781013 CEST5468353192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:09.047935963 CEST53546838.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:09.733320951 CEST5932953192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:09.754313946 CEST6402153192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:09.822058916 CEST53640218.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:09.910907984 CEST53593298.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:10.663146973 CEST5612953192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:10.720233917 CEST53561298.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:11.251727104 CEST5817753192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:11.308666945 CEST53581778.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:12.180797100 CEST5070053192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:12.242857933 CEST53507008.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:12.726773024 CEST5406953192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:12.777582884 CEST53540698.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:12.979967117 CEST6117853192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:13.030441046 CEST53611788.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:13.563133001 CEST5701753192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:13.620109081 CEST53570178.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:14.850735903 CEST5632753192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:14.899684906 CEST53563278.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:15.768712044 CEST5024353192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:15.825768948 CEST53502438.8.8.8192.168.2.6
                                                                                                      May 4, 2021 21:47:16.333626032 CEST6205553192.168.2.68.8.8.8
                                                                                                      May 4, 2021 21:47:16.390731096 CEST53620558.8.8.8192.168.2.6

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                      May 4, 2021 21:45:05.726613045 CEST8.8.8.8192.168.2.60x7b5No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                      May 4, 2021 21:46:24.333915949 CEST8.8.8.8192.168.2.60x7b1bNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                      May 4, 2021 21:46:24.876785994 CEST8.8.8.8192.168.2.60x3fabNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                      May 4, 2021 21:46:25.427855015 CEST8.8.8.8192.168.2.60xf791No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                      May 4, 2021 21:46:25.945226908 CEST8.8.8.8192.168.2.60xf5b1No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      Analysis Process: loaddll32.exe PID: 4240 Parent PID: 6020

                                                                                                      General

                                                                                                      Start time:21:44:21
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\System32\loaddll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:loaddll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll'
                                                                                                      Imagebase:0xe80000
                                                                                                      File size:116736 bytes
                                                                                                      MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: cmd.exe PID: 5632 Parent PID: 4240

                                                                                                      General

                                                                                                      Start time:21:44:21
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                                                                                                      Imagebase:0x2a0000
                                                                                                      File size:232960 bytes
                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 5100 Parent PID: 4240

                                                                                                      General

                                                                                                      Start time:21:44:22
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll,LoxmtYt
                                                                                                      Imagebase:0xe80000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 5648 Parent PID: 5632

                                                                                                      General

                                                                                                      Start time:21:44:22
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',#1
                                                                                                      Imagebase:0xe80000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.599608439.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: WerFault.exe PID: 6092 Parent PID: 5648

                                                                                                      General

                                                                                                      Start time:21:45:03
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 764
                                                                                                      Imagebase:0x800000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: WerFault.exe PID: 5932 Parent PID: 5100

                                                                                                      General

                                                                                                      Start time:21:45:06
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 888
                                                                                                      Imagebase:0x800000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 644 Parent PID: 4240

                                                                                                      General

                                                                                                      Start time:21:45:08
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllCanUnloadNow
                                                                                                      Imagebase:0xe80000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000D.00000002.659180073.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 6004 Parent PID: 4240

                                                                                                      General

                                                                                                      Start time:21:45:08
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',DllGetClassObject
                                                                                                      Imagebase:0xe80000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 0000000F.00000002.663523541.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 2908 Parent PID: 4240

                                                                                                      General

                                                                                                      Start time:21:45:08
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddFileToInstance
                                                                                                      Imagebase:0xe80000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000010.00000002.578383295.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 5332 Parent PID: 4240

                                                                                                      General

                                                                                                      Start time:21:45:09
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiAddParameter
                                                                                                      Imagebase:0xe80000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000011.00000002.578360981.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: rundll32.exe PID: 5492 Parent PID: 4240

                                                                                                      General

                                                                                                      Start time:21:45:09
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\3c271eae_by_Libranalysis.dll',WdiCancel
                                                                                                      Imagebase:0xe80000
                                                                                                      File size:61952 bytes
                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000012.00000002.660063361.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
                                                                                                      Reputation:high

                                                                                                      Analysis Process: WerFault.exe PID: 396 Parent PID: 644

                                                                                                      General

                                                                                                      Start time:21:46:17
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 752
                                                                                                      Imagebase:0x800000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Analysis Process: WerFault.exe PID: 3520 Parent PID: 6004

                                                                                                      General

                                                                                                      Start time:21:46:17
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 756
                                                                                                      Imagebase:0x800000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Analysis Process: WerFault.exe PID: 3760 Parent PID: 5492

                                                                                                      General

                                                                                                      Start time:21:46:25
                                                                                                      Start date:04/05/2021
                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 764
                                                                                                      Imagebase:0x800000
                                                                                                      File size:434592 bytes
                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >