Windows Analysis Report lj3H69Z3Io.dll

Overview

General Information

Sample Name:	lj3H69Z3Io.dll
Analysis ID:	447090
MD5:	0bb29556ece1c51c751cb4e7c8752ddc
SHA1:	324cc356a56c68e51f09348e91405001e68e4a08
SHA256:	af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
Tags:	dllGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

One or more processes crash

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: lj3H69Z3Io.dll	Virustotal: Detection: 41%			Perma Link
Source: lj3H69Z3Io.dll	ReversingLabs: Detection: 31%

Compliance:

Uses 32bit PE files

Source: lj3H69Z3Io.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: lj3H69Z3Io.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: shlwapi.pdb9} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbdj source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbXPJ"i source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbyN[ source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbrP " source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb$ source: WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbMNG source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb[Ny source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbBPp" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb( source: WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb~PT"a source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbDP~". source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdb' source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbEOSz source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbVPL"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: Bed.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbsG7" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbsNA source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb}IU source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.533933827.0000000002EAF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.534503789.000000000310A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbAw source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbGNM source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbz source: WerFault.exe, 00000015.00000003.572645587.0000000002BAD000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb5} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb#}#Ui source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000003.00000002.613268258.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.528135679.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.563830919.000000006E221000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbf source: WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdbBv source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 00000011.00000003.533142014.0000000003105000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb0Pb" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbUN source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbNPd" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdblPF"e source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb?} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbtP." source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.533631070.0000000003116000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbjPX"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbK} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb>j$U source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbANs source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb-}%Ur source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb`PR"C source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 0000000F.00000003.532839639.0000000004CCE000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.570661557.00000000048DD000.00000004.00000001.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.548507625.0000000002E32000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E218626 FindFirstFileExA,

4_2_6E218626

System Summary:

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03092D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_03092D06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03098005 NtQueryVirtualMemory,	2_2_03098005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D1B9C GetProcAddress,NtCreateSection,memset,	3_2_6E1D1B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D1EC7 NtMapViewOfSection,	3_2_6E1D1EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2485 NtQueryVirtualMemory,	3_2_6E1D2485

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03093109	2_2_03093109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097DE0	2_2_03097DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03092206	2_2_03092206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2264	3_2_6E1D2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F7CA0	3_2_6E1F7CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FB840	3_2_6E1FB840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2096BD	3_2_6E2096BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20CEC0	3_2_6E20CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20FF3F	3_2_6E20FF3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E205FDD	3_2_6E205FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1F7CA0	4_2_6E1F7CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1FB840	4_2_6E1FB840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2096BD	4_2_6E2096BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20CEC0	4_2_6E20CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20FF3F	4_2_6E20FF3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E205FDD	4_2_6E205FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E216CF9	4_2_6E216CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E219B9C	4_2_6E219B9C

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E204A80 appears 66 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E20B4B4 appears 34 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652

Uses 32bit PE files

Source: lj3H69Z3Io.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal48.winDLL@17/12@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_0309513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_0309513E

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2924
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess644

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE636.tmp

Jump to behavior

Source: lj3H69Z3Io.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection

Source: lj3H69Z3Io.dll	Virustotal: Detection: 41%
Source: lj3H69Z3Io.dll	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 644
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 660
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: lj3H69Z3Io.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: lj3H69Z3Io.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: shlwapi.pdb9} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbdj source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbXPJ"i source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbyN[ source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbrP " source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb$ source: WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbMNG source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb[Ny source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbBPp" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb( source: WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb~PT"a source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbDP~". source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdb' source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbEOSz source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbVPL"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: Bed.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbsG7" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbsNA source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb}IU source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.533933827.0000000002EAF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.534503789.000000000310A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbAw source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbGNM source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbz source: WerFault.exe, 00000015.00000003.572645587.0000000002BAD000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb5} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb#}#Ui source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000003.00000002.613268258.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.528135679.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.563830919.000000006E221000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbf source: WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdbBv source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 00000011.00000003.533142014.0000000003105000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb0Pb" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbUN source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbNPd" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdblPF"e source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb?} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbtP." source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.533631070.0000000003116000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbjPX"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbK} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb>j$U source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbANs source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb-}%Ur source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb`PR"C source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 0000000F.00000003.532839639.0000000004CCE000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.570661557.00000000048DD000.00000004.00000001.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.548507625.0000000002E32000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E1D1F7C LoadLibraryA,GetProcAddress,

3_2_6E1D1F7C

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097DCF push ecx; ret	2_2_03097DDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097A60 push ecx; ret	2_2_03097A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2200 push ecx; ret	3_2_6E1D2209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2253 push ecx; ret	3_2_6E1D2263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20446D push ecx; ret	3_2_6E204480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E204AC6 push ecx; ret	3_2_6E204AD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24F506 push ds; ret	3_2_6E24F508
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20446D push ecx; ret	4_2_6E204480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D2D07 push ebp; ret	4_2_6E1D2D17
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E204AC6 push ecx; ret	4_2_6E204AD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D6129 push eax; ret	4_2_6E1D6186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D49D3 push ecx; iretd	4_2_6E1D49D8

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E218626 FindFirstFileExA,

4_2_6E218626

Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000F.00000002.567556542.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000002.603059974.000000000482F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E1D1EB0 LdrInitializeThunk,LdrInitializeThunk,VirtualProtect,GetWindowsDirectoryA,

4_2_6E1D1EB0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6E20875F

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E1D1F7C LoadLibraryA,GetProcAddress,

3_2_6E1D1F7C

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20DF99 mov eax, dword ptr fs:[00000030h]	3_2_6E20DF99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D8B6 mov eax, dword ptr fs:[00000030h]	3_2_6E24D8B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D7E5 mov eax, dword ptr fs:[00000030h]	3_2_6E24D7E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D3EC push dword ptr fs:[00000030h]	3_2_6E24D3EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20DF99 mov eax, dword ptr fs:[00000030h]	4_2_6E20DF99

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E20462D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E20875F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E204901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E204901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6E20462D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E20875F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E204901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E204901

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1

Jump to behavior

Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094454 cpuid

2_2_03094454

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	3_2_6E1D1E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6E21C3CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E21C643
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E21C68E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E21C729
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E2134FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E21CD03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E21CB2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E213961
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_6E21C3CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E21C643
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E21C68E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E21C729
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_6E21C7B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E21CC36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E2134FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_6E21CD03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E21C59A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E21CA06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6E21CB2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E213961

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03096B0F HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,

2_2_03096B0F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

2_2_03094454

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E213009 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

4_2_6E213009

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094C1B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

2_2_03094C1B

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: lj3H69Z3Io.dll	Virustotal: Detection: 41%			Perma Link
Source: lj3H69Z3Io.dll	ReversingLabs: Detection: 31%

Compliance:

Uses 32bit PE files

Source: lj3H69Z3Io.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: lj3H69Z3Io.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: shlwapi.pdb9} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbdj source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbXPJ"i source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbyN[ source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbrP " source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb$ source: WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbMNG source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb[Ny source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbBPp" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb( source: WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb~PT"a source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbDP~". source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdb' source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbEOSz source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbVPL"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: Bed.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbsG7" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbsNA source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb}IU source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.533933827.0000000002EAF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.534503789.000000000310A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbAw source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbGNM source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbz source: WerFault.exe, 00000015.00000003.572645587.0000000002BAD000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb5} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb#}#Ui source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000003.00000002.613268258.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.528135679.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.563830919.000000006E221000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbf source: WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdbBv source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 00000011.00000003.533142014.0000000003105000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb0Pb" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbUN source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbNPd" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdblPF"e source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb?} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbtP." source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.533631070.0000000003116000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbjPX"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbK} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb>j$U source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbANs source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb-}%Ur source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb`PR"C source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 0000000F.00000003.532839639.0000000004CCE000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.570661557.00000000048DD000.00000004.00000001.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.548507625.0000000002E32000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E218626 FindFirstFileExA,

4_2_6E218626

System Summary:

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03092D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_03092D06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03098005 NtQueryVirtualMemory,	2_2_03098005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D1B9C GetProcAddress,NtCreateSection,memset,	3_2_6E1D1B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D1EC7 NtMapViewOfSection,	3_2_6E1D1EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2485 NtQueryVirtualMemory,	3_2_6E1D2485

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03093109	2_2_03093109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097DE0	2_2_03097DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03092206	2_2_03092206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2264	3_2_6E1D2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F7CA0	3_2_6E1F7CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FB840	3_2_6E1FB840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2096BD	3_2_6E2096BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20CEC0	3_2_6E20CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20FF3F	3_2_6E20FF3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E205FDD	3_2_6E205FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1F7CA0	4_2_6E1F7CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1FB840	4_2_6E1FB840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2096BD	4_2_6E2096BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20CEC0	4_2_6E20CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20FF3F	4_2_6E20FF3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E205FDD	4_2_6E205FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E216CF9	4_2_6E216CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E219B9C	4_2_6E219B9C

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E204A80 appears 66 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E20B4B4 appears 34 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652

Uses 32bit PE files

Source: lj3H69Z3Io.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal48.winDLL@17/12@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_0309513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_0309513E

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2924
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess644

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE636.tmp

Jump to behavior

Source: lj3H69Z3Io.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection

Source: lj3H69Z3Io.dll	Virustotal: Detection: 41%
Source: lj3H69Z3Io.dll	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 644
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 660
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: lj3H69Z3Io.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: lj3H69Z3Io.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: shlwapi.pdb9} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbdj source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbXPJ"i source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbyN[ source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbrP " source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb$ source: WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbMNG source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb[Ny source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbBPp" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb( source: WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb~PT"a source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbDP~". source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdb' source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbEOSz source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbVPL"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: Bed.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbsG7" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbsNA source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb}IU source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.533933827.0000000002EAF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.534503789.000000000310A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbAw source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbGNM source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbz source: WerFault.exe, 00000015.00000003.572645587.0000000002BAD000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb5} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb#}#Ui source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000003.00000002.613268258.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.528135679.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.563830919.000000006E221000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbf source: WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdbBv source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 00000011.00000003.533142014.0000000003105000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb0Pb" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbUN source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbNPd" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdblPF"e source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb?} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbtP." source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.533631070.0000000003116000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbjPX"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbK} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb>j$U source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbANs source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb-}%Ur source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb`PR"C source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 0000000F.00000003.532839639.0000000004CCE000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.570661557.00000000048DD000.00000004.00000001.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.548507625.0000000002E32000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E1D1F7C LoadLibraryA,GetProcAddress,

3_2_6E1D1F7C

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097DCF push ecx; ret	2_2_03097DDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097A60 push ecx; ret	2_2_03097A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2200 push ecx; ret	3_2_6E1D2209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2253 push ecx; ret	3_2_6E1D2263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20446D push ecx; ret	3_2_6E204480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E204AC6 push ecx; ret	3_2_6E204AD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24F506 push ds; ret	3_2_6E24F508
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20446D push ecx; ret	4_2_6E204480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D2D07 push ebp; ret	4_2_6E1D2D17
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E204AC6 push ecx; ret	4_2_6E204AD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D6129 push eax; ret	4_2_6E1D6186
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D49D3 push ecx; iretd	4_2_6E1D49D8

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E218626 FindFirstFileExA,

4_2_6E218626

Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000F.00000002.567556542.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000002.603059974.000000000482F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E1D1EB0 LdrInitializeThunk,LdrInitializeThunk,VirtualProtect,GetWindowsDirectoryA,

4_2_6E1D1EB0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6E20875F

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E1D1F7C LoadLibraryA,GetProcAddress,

3_2_6E1D1F7C

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20DF99 mov eax, dword ptr fs:[00000030h]	3_2_6E20DF99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D8B6 mov eax, dword ptr fs:[00000030h]	3_2_6E24D8B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D7E5 mov eax, dword ptr fs:[00000030h]	3_2_6E24D7E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D3EC push dword ptr fs:[00000030h]	3_2_6E24D3EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20DF99 mov eax, dword ptr fs:[00000030h]	4_2_6E20DF99

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E20462D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E20875F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E204901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E204901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6E20462D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E20875F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E204901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6E204901

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1

Jump to behavior

Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094454 cpuid

2_2_03094454

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	3_2_6E1D1E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6E21C3CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E21C643
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E21C68E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E21C729
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E2134FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E21CD03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E21CB2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E213961
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_6E21C3CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E21C643
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E21C68E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E21C729
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_6E21C7B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E21CC36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_6E2134FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_6E21CD03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E21C59A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E21CA06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_6E21CB2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	4_2_6E213961

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03096B0F HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,

2_2_03096B0F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

2_2_03094454

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E213009 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

4_2_6E213009

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094C1B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

2_2_03094C1B

ID:	447090
Product:	CloudBasic
Start time:	11:34:57
Start date:	12.07.2021
Sample:	lj3H69Z3Io.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0bb29556ece1c51c751cb4e7c8752ddc
SHA1:	324cc356a56c68e51f09348e91405001e68e4a08
SHA256:	af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e10347d3010a05cec57e2a7338104047e76f62_82810a17_0b7b5422\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	98764053EC0F511D8C5D96513783CA3D	B40C1D4874A55B3691F6919F017472F07B5C07F4	E7264BFE9EC16F603004FCE25B9BDCF28B7DF62B2787B779B3C2A51BC1F13782
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e10347d3010a05cec57e2a7338104047e76f62_82810a17_0feb1257\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	9D46E94DE0C102E2B188098887BC46C4	72324E1311D110D5BC7AE91020192E7F328B1046	6D5582D44934F0D865C3C291EC1079CF39BEF84CC58C7BEA256459B3E521390E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a0d4b84b30b3d4d6122ce7696ca9e3f4f1b52d_82810a17_1216fb83\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	73201D26AA92F253283D7E2FA80EA01D	9E33A897F2DCE37B89DB00563A4086BB7556FAFC	71E9DD74E26CDADE6B461668A99FDD0605C20A216266864A73348EAB95CCD0CA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D51.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:45 2021, 0x1205a4 type	D253E3147DCE1CF34D14F0D50E09528C	B24900CE0D71CFBFEC6DF206ECD88E35F673CC45	05BB24CDB6C52AA788043E98B9DD621B3BC9DBE3C7F8FF62ED95A308F23E7565
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3996.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	EA67DF723579F9F5F17E692A8CA9BD24	46461B5E60EB40D89F7985FC5D56A2913BBFA3D4	10F07CFB58F20FEB633C899E53FF866F7B9B74C943429F5292A41A9B90A375F8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E1C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	E6CCF4A3AA610785C50C173E1A7976C7	2FB6559D3E8D2EA6B7AF0574980772C232F7C077	740A09BBBA4C0B2B302AAA3102D617B8D35CE09CADD1E068AF8EB0604AB7A089
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE636.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:26 2021, 0x1205a4 type	9AC78DF002B515CB73811D2CA5C3D41C	DD93200FFE9ABCDC1BF6D163CA61B947941C9319	E67D5006C7D713C404C95F8E58B68B4FE52989D913671F3E4EBF595315E9A41E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE77E.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:27 2021, 0x1205a4 type	B62BFAF733B3B9DB4873EB60FEC6812D	215947439972F9A2ADE25E26F1B35F9C5E201BE1	6D66F2709120D2E6DCB4B0B1AD4E7F04AA8E47FF099E89E682518470DED7F018
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0F5.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	78A9B2639FBEB484496E0DD30F14E7A1	43BC95135E8C35ED12BB8D4CA4F58DB5ABEB879D	E941E743CDC9F5AD163B9A90C879B798E5A3BF1000FED157808962EF70BE1DAA
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF152.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	8270ACC93A90BBC69A9E4C6E322D4123	448CB0408C15E46CC084445FA3A9D536DCEC8653	7319A54E282E1C3850C36D98F55B4E923FAB4BCBBFD2A88EE8CBD28C84B4AB10
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF53B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9CE1A35D608471E1CB4FC7B9D3E1677F	197E73863977B19EC31B551B1258363E311CF6F0	78E8A937C8C36917C51CAEF293069B9D8677E176DD4E4799AB53B025755CAEFA
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5D8.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4C6796B08FFA1674376D69F88821DA34	C03827CB15E533002B3B3D291686985CD0382C0C	99B1663F2E16E493E0CF5BC04A097D6EF5D1A53108DB3C099A61980B6DEBDF6B

Windows Analysis Report lj3H69Z3Io.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map