Play interactive tour

Edit tour

Windows Analysis Report lj3H69Z3Io.dll

Overview

General Information

Sample Name:	lj3H69Z3Io.dll
Analysis ID:	447090
MD5:	0bb29556ece1c51c751cb4e7c8752ddc
SHA1:	324cc356a56c68e51f09348e91405001e68e4a08
SHA256:	af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
Tags:	dllGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

One or more processes crash

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2392 cmdline: loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 2200 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6068 cmdline: rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6072 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 644 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 3860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 1312 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2924 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 660 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: lj3H69Z3Io.dll	Virustotal: Detection: 41%			Perma Link
Source: lj3H69Z3Io.dll	ReversingLabs: Detection: 31%

Source: lj3H69Z3Io.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: lj3H69Z3Io.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: shlwapi.pdb9} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbdj source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbXPJ"i source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbyN[ source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbrP " source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb$ source: WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbMNG source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb[Ny source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbBPp" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb( source: WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb~PT"a source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbDP~". source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdb' source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbEOSz source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbVPL"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: Bed.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbsG7" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbsNA source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb}IU source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.533933827.0000000002EAF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.534503789.000000000310A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbAw source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbGNM source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbz source: WerFault.exe, 00000015.00000003.572645587.0000000002BAD000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb5} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb#}#Ui source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000003.00000002.613268258.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.528135679.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.563830919.000000006E221000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbf source: WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdbBv source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 00000011.00000003.533142014.0000000003105000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb0Pb" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbUN source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbNPd" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdblPF"e source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb?} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbtP." source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.533631070.0000000003116000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbjPX"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbK} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb>j$U source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbANs source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb-}%Ur source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb`PR"C source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 0000000F.00000003.532839639.0000000004CCE000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.570661557.00000000048DD000.00000004.00000001.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.548507625.0000000002E32000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E218626 FindFirstFileExA,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03092D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03098005 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D1B9C GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D1EC7 NtMapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2485 NtQueryVirtualMemory,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03093109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03092206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F7CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FB840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2096BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20FF3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E205FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1F7CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1FB840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2096BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20CEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20FF3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E205FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E216CF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E219B9C

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E204A80 appears 66 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E20B4B4 appears 34 times

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652

Source: lj3H69Z3Io.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal48.winDLL@17/12@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_0309513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2924
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess644

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE636.tmp

Jump to behavior

Source: lj3H69Z3Io.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection

Source: lj3H69Z3Io.dll	Virustotal: Detection: 41%
Source: lj3H69Z3Io.dll	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 644
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 660
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: lj3H69Z3Io.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: lj3H69Z3Io.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: shlwapi.pdb9} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbdj source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbXPJ"i source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbyN[ source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbrP " source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb$ source: WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdbMNG source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb[Ny source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbBPp" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb( source: WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb~PT"a source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbDP~". source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdb' source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdbEOSz source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdbVPL"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: Bed.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdbsG7" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbsNA source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb}IU source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000F.00000003.533933827.0000000002EAF000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.534503789.000000000310A000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.572578317.0000000002B70000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbAw source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbGNM source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbz source: WerFault.exe, 00000015.00000003.572645587.0000000002BAD000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb5} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb#}#Ui source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000003.00000002.613268258.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.528135679.000000006E221000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.563830919.000000006E221000.00000002.00020000.sdmp, WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.571572737.00000000048BE000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source:	Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbf source: WerFault.exe, 0000000F.00000003.533122427.0000000002EEB000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Bed.pdbBv source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb( source: WerFault.exe, 00000011.00000003.533142014.0000000003105000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb0Pb" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: winspool.pdbUN source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdbNPd" source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdblPF"e source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: netapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb?} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdbtP." source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.533631070.0000000003116000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.540531872.0000000005280000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540693865.00000000053A0000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580360213.00000000029F0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbjPX"r source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.533609109.0000000003110000.00000004.00000001.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbK} source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: netutils.pdb>j$U source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbANs source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb-}%Ur source: WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.540485682.00000000052A0000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.540661317.00000000053D1000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.580318352.0000000004DE2000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb`PR"C source: WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 0000000F.00000003.532839639.0000000004CCE000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.570661557.00000000048DD000.00000004.00000001.sdmp
Source:	Binary string: netutils.pdb source: WerFault.exe, 0000000F.00000003.540545637.0000000005286000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.540718157.00000000053A6000.00000004.00000040.sdmp, WerFault.exe, 00000015.00000003.580373487.00000000029F6000.00000004.00000040.sdmp
Source:	Binary string: a'pjr*pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.548507625.0000000002E32000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E1D1F7C LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097DCF push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_03097A60 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2200 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1D2253 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20446D push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E204AC6 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24F506 push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20446D push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D2D07 push ebp; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E204AC6 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D6129 push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E1D49D3 push ecx; iretd

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E218626 FindFirstFileExA,

Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000F.00000002.567556542.0000000004C00000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000002.603059974.000000000482F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000F.00000002.567770275.0000000004D00000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.552696480.0000000005070000.00000002.00000001.sdmp, WerFault.exe, 00000015.00000002.604064037.0000000004F50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E1D1EB0 LdrInitializeThunk,LdrInitializeThunk,VirtualProtect,GetWindowsDirectoryA,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E1D1F7C LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20DF99 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D8B6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D7E5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E24D3EC push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20DF99 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E204901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E204901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1

Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000003.00000002.610065076.0000000003120000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000000.524954099.00000000030C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.525841461.0000000003280000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094454 cpuid

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03096B0F HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E213009 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_03094C1B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Virtualization/Sandbox Evasion1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery33	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
lj3H69Z3Io.dll	42%	Virustotal		Browse
lj3H69Z3Io.dll	6%	Metadefender		Browse
lj3H69Z3Io.dll	31%	ReversingLabs	Win32.Trojan.Ursnif

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.rundll32.exe.3090000.2.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
3.2.rundll32.exe.2a70000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	447090
Start date:	12.07.2021
Start time:	11:34:57
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	lj3H69Z3Io.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winDLL@17/12@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 64% (good quality ratio 58.3%) Quality average: 73.9% Quality standard deviation: 31.5%
HCA Information:	Successful, ratio: 88% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.147.198.201, 13.88.21.125, 23.0.174.200, 23.0.174.185, 104.42.151.234, 95.100.54.203, 40.88.32.150, 52.255.188.83, 13.64.90.137, 20.190.160.74, 20.190.160.131, 20.190.160.5, 20.190.160.68, 20.190.160.9, 20.190.160.72, 20.190.160.7, 20.190.160.130, 20.190.160.135, 20.190.160.70, 20.190.160.1 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, login.live.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
11:37:35	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e10347d3010a05cec57e2a7338104047e76f62_82810a17_0b7b5422\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11844
Entropy (8bit):	3.772182897781727
Encrypted:	false
SSDEEP:	192:FvIij0oX0ZyHVFeMjed+C/u7sJS274ItWcV:Oi9XwKVFeMjen/u7sJX4ItWcV
MD5:	98764053EC0F511D8C5D96513783CA3D
SHA1:	B40C1D4874A55B3691F6919F017472F07B5C07F4
SHA-256:	E7264BFE9EC16F603004FCE25B9BDCF28B7DF62B2787B779B3C2A51BC1F13782
SHA-512:	9349228CE8477F1957230E07E2668FDCF12CB302471B7CCE5CD840C7AD379C3C62AD353C6026060034A6BF2218FE84B9E83F5C167CBAA4006873B8F466E911C7
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.5.8.8.6.6.2.6.8.8.9.5.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.0.5.8.8.6.7.1.3.4.1.5.3.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.d.3.1.f.7.2.-.4.4.5.6.-.4.9.7.a.-.b.4.3.4.-.2.2.6.5.b.3.e.6.1.a.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.9.e.6.1.f.1.-.3.6.6.4.-.4.9.7.2.-.b.e.f.7.-.f.8.8.5.6.0.e.d.4.5.c.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.6.c.-.0.0.0.1.-.0.0.1.7.-.4.1.9.3.-.f.d.c.7.4.c.7.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e10347d3010a05cec57e2a7338104047e76f62_82810a17_0feb1257\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11852
Entropy (8bit):	3.7724877771622407
Encrypted:	false
SSDEEP:	192:pIPtip0oXPZyHVFeMjed+C/u7sJS274ItWc5:UtiHXhKVFeMjen/u7sJX4ItWc5
MD5:	9D46E94DE0C102E2B188098887BC46C4
SHA1:	72324E1311D110D5BC7AE91020192E7F328B1046
SHA-256:	6D5582D44934F0D865C3C291EC1079CF39BEF84CC58C7BEA256459B3E521390E
SHA-512:	99D956F51312CA9999FE24C58B0366A5E9C305F55895F270394451D79B46DA0393065410F03DBF3F0958F25CAC2B3FDF2D0A4A47F94ED8520B8ACD271CE92F7B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.5.8.8.6.4.4.5.0.1.4.5.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.0.5.8.8.6.5.3.0.4.8.2.9.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.7.3.c.1.9.f.-.2.5.4.2.-.4.1.6.6.-.a.a.0.b.-.2.5.5.6.5.5.4.8.8.4.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.f.7.f.4.f.9.c.-.b.c.3.7.-.4.9.6.1.-.b.9.e.9.-.a.f.b.4.b.3.5.0.0.0.d.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.8.4.-.0.0.0.1.-.0.0.1.7.-.6.f.0.f.-.1.f.c.0.4.c.7.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_a0d4b84b30b3d4d6122ce7696ca9e3f4f1b52d_82810a17_1216fb83\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11476
Entropy (8bit):	3.768875643122173
Encrypted:	false
SSDEEP:	192:Sij0oXXHKvgsv5yjed+f/u7sJS274It7cf:Si9X3Kvgsv5yjeS/u7sJX4It7cf
MD5:	73201D26AA92F253283D7E2FA80EA01D
SHA1:	9E33A897F2DCE37B89DB00563A4086BB7556FAFC
SHA-256:	71E9DD74E26CDADE6B461668A99FDD0605C20A216266864A73348EAB95CCD0CA
SHA-512:	943F2925D4808EA255075E83293628CB26631DCF08AB07F32E12B47AB8EE5B6EC578887264E46524B6A6529041A99591EEE1ADE79CDFF41FF03621FF401C1173
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.5.8.8.6.4.4.8.2.5.5.1.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.e.3.9.4.2.1.-.5.c.7.2.-.4.f.3.3.-.9.7.b.7.-.5.2.3.f.0.7.3.8.5.c.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.d.b.7.0.c.f.-.8.b.a.3.-.4.a.f.f.-.a.9.8.8.-.a.b.3.7.c.5.f.b.3.6.8.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.6.c.-.0.0.0.1.-.0.0.1.7.-.4.1.9.3.-.f.d.c.7.4.c.7.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D51.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:45 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	279610
Entropy (8bit):	1.6742774830215899
Encrypted:	false
SSDEEP:	768:eSFnI+naA6a7Q2AsUTusC7lSMWxJ6OXKBMg2VBIwqo:eSFBdAhCxOXKAIdo
MD5:	D253E3147DCE1CF34D14F0D50E09528C
SHA1:	B24900CE0D71CFBFEC6DF206ECD88E35F673CC45
SHA-256:	05BB24CDB6C52AA788043E98B9DD621B3BC9DBE3C7F8FF62ED95A308F23E7565
SHA-512:	64B83B9686358846A9E879B7A80BC471AAC954065E46239CF50E8F95AB70544F34F2D6C12915A6C6E2412A0C1728430F3ED3EDE407E1FDAD483353F0C300B486
Malicious:	false
Preview:	MDMP....... ..........`...................U...........B..............GenuineIntelW...........T.......l......`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3996.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.693305788190394
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiYi6t9Xp6YIu6DaZbgmfTk8GSLCpDd89bQCsfrUwm:RrlsNil6t9Z6YB6DalgmfTkrSRQBfu
MD5:	EA67DF723579F9F5F17E692A8CA9BD24
SHA1:	46461B5E60EB40D89F7985FC5D56A2913BBFA3D4
SHA-256:	10F07CFB58F20FEB633C899E53FF866F7B9B74C943429F5292A41A9B90A375F8
SHA-512:	5814A115B08F81F593888CD61ECDA2E280CF969B36BEE529F3CE82B8D5916D2B394468CDD0D7B500B9FCE95A4CA11BCD9AFB68BB9DEFDDEF22AFDA32F3234FB2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.2.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E1C.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.457541334543927
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqJgtWI9asWSC8BT48fm8M4JCdsGtFB+q8/5jcs4SrSMd:uITf4hFSNR1JgZ2csDWMd
MD5:	E6CCF4A3AA610785C50C173E1A7976C7
SHA1:	2FB6559D3E8D2EA6B7AF0574980772C232F7C077
SHA-256:	740A09BBBA4C0B2B302AAA3102D617B8D35CE09CADD1E068AF8EB0604AB7A089
SHA-512:	FD299617B050E254D4ECBBA43686E43BA56D1A6D3215A7F084E86E57546B4A4BB46BFB685A416B2CF863E9EB764FF4D6944EFAC73CA627FBFB2E3201E31AF6B4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1074468" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE636.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:26 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	280962
Entropy (8bit):	1.6190396470705883
Encrypted:	false
SSDEEP:	768:B03QgVkiA5gchbjEVUyDX6OaEJpSWp6cEj/qsWDyNVBMg2Vllg:BoQgVk/gcFEV5XgEJpY3qjmNVslg
MD5:	9AC78DF002B515CB73811D2CA5C3D41C
SHA1:	DD93200FFE9ABCDC1BF6D163CA61B947941C9319
SHA-256:	E67D5006C7D713C404C95F8E58B68B4FE52989D913671F3E4EBF595315E9A41E
SHA-512:	6AFC6E40C33C66FEA6A828C44CB79E7C2A377829C3F8608FCEC8A824749BB6127A41641A91A5617C77F2162F90E1571917B25F21FF39FF116A3AC26A43DAADA1
Malicious:	false
Preview:	MDMP....... .........`...................U...........B..............GenuineIntelW...........T..............`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE77E.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jul 12 18:37:27 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	31730
Entropy (8bit):	2.5908843139629227
Encrypted:	false
SSDEEP:	192:NLnXZTgxJ6P4LMI2+2dCF2V6qkIHPpsI5xWGnx:FJTmwIBl2g2V6q4I5lx
MD5:	B62BFAF733B3B9DB4873EB60FEC6812D
SHA1:	215947439972F9A2ADE25E26F1B35F9C5E201BE1
SHA-256:	6D66F2709120D2E6DCB4B0B1AD4E7F04AA8E47FF099E89E682518470DED7F018
SHA-512:	58804ED5C76A0A51962B999E0BA8DBE6B87A52DEEBB64466AE1BBED6BCCF1B81FE6079F48ED863664230432C47196FF339E73969B8188D3985B8336967BCF2E3
Malicious:	false
Preview:	MDMP....... .........`...................U...........B..............GenuineIntelW...........T.......l......`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0F5.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.6946242951270065
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNijb6qU/6YIK6+aJbgmfTk8GSLCpDu89bfLsfULVm:RrlsNi/6qU/6YN6+aVgmfTkrS8fQfX
MD5:	78A9B2639FBEB484496E0DD30F14E7A1
SHA1:	43BC95135E8C35ED12BB8D4CA4F58DB5ABEB879D
SHA-256:	E941E743CDC9F5AD163B9A90C879B798E5A3BF1000FED157808962EF70BE1DAA
SHA-512:	CD43799611CC01456BBAE8927318BC352085682861B3B57FA3D223B10A8FE7492EDC241EA257D87FA7A1991AB97485C0F79DA13EB9DB27353D343E28A38876A5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.4.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF152.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.690539983955562
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiYM6uAEd6YIm6+aJbgmf8lSJLCpBE89bfCsfDVm:RrlsNib6uAu6Yx6+aVgmf8lSJQfBfs
MD5:	8270ACC93A90BBC69A9E4C6E322D4123
SHA1:	448CB0408C15E46CC084445FA3A9D536DCEC8653
SHA-256:	7319A54E282E1C3850C36D98F55B4E923FAB4BCBBFD2A88EE8CBD28C84B4AB10
SHA-512:	F6A404AF9D1300A325277CBC0644EB00F4E1977A104A991E7F89B6971F907E5D150A8E094E2FF28B2BABEB509F1411EACC46799B676F5ADEACD86E0C7653837D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.2.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF53B.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.45574569896631
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqJgtWI9asWSC8BNs8fm8M4JCdsGtFtJ+q8/5jH4SrS6d:uITf4hFSNTRJgFJ2HDW6d
MD5:	9CE1A35D608471E1CB4FC7B9D3E1677F
SHA1:	197E73863977B19EC31B551B1258363E311CF6F0
SHA-256:	78E8A937C8C36917C51CAEF293069B9D8677E176DD4E4799AB53B025755CAEFA
SHA-512:	608737A72FBA6E73EB41181E84EE29202D4C6AB7BAB6B259B6557E7EF9181BAB08853EA7586C8038DDE5AB426AFDC0639E03928ED0975A62D48B742F5C4EB000
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1074468" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5D8.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4731
Entropy (8bit):	4.450261196501411
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqJgtWI9asWSC8Bo8fm8M4JCdsqFn+q8vjsDs4SrSMd:uITf4hFSNLJOKOsDWMd
MD5:	4C6796B08FFA1674376D69F88821DA34
SHA1:	C03827CB15E533002B3B3D291686985CD0382C0C
SHA-256:	99B1663F2E16E493E0CF5BC04A097D6EF5D1A53108DB3C099A61980B6DEBDF6B
SHA-512:	0D7C06F0FF244FA5A78AED9BC3BFA8630D1B0E9A03DA56D4BC1BD806693E12791D5BE8460DD4F696D1B74F46B6B3E06B2F324231F7C2E527412517BE21B5D350
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1074468" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.767213059044483
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lj3H69Z3Io.dll
File size:	512000
MD5:	0bb29556ece1c51c751cb4e7c8752ddc
SHA1:	324cc356a56c68e51f09348e91405001e68e4a08
SHA256:	af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
SHA512:	33d9a2b92f209ed7fea50bc388d34d7cce773217f73d58fda98ad94c13cd64621b92525602e87c016bab424f438ae96655af8d8250d642d9d7fc7a080f936c79
SSDEEP:	12288:pvlT2EsAw96epX+uHfa7Z5svN/RM2ZcV8TFITzhz3VFVUJcXH4nw7P1N:ZsN96cfKFVUJQu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H..5...f...f...f.z.f...f.z.f...f.z.f...f^..g...f^..g8..f^..g...f..}f...f...fv..f...g...f...g...f...g...fRich...f........PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10340e7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5B2B4D21 [Thu Jun 21 07:00:49 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	df95180b6da9d16cb69b63ca8bb7f332

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F4810909B17h
call 00007F481090A295h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F48109099C8h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
mov eax, dword ptr [0107B164h]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [0107B164h]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F4810909B2Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F4810909B1Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F4810909B1Eh
add edx, 28h
cmp edx, esi
jne 00007F4810909AFCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F4810909B0Bh
push esi
call 00007F481090A616h
test eax, eax
je 00007F4810909B32h
mov eax, dword ptr fs:[00000018h]
mov esi, 01113000h
mov edx, dword ptr [eax+04h]
jmp 00007F4810909B16h
cmp edx, eax
je 00007F4810909B22h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F4810909B02h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
call 00007F481090A5E5h
test eax, eax
je 00007F4810909B19h
call 00007F481090A445h
jmp 00007F4810909B2Ah
call 00007F4810909B61h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x79890	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x79910	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x114000	0x3530	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x778f0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x77948	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x1c4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4f1c7	0x4f200	False	0.639085332741	data	6.65199808864	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x2936e	0x29400	False	0.621620501894	data	6.09428205246	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7b000	0x98ad0	0x1000	False	0.2373046875	data	3.49060216778	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x114000	0x3530	0x3600	False	0.748191550926	data	6.69710092848	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetEnvironmentVariableA, GetSystemDirectoryA, GetTempPathA, GetWindowsDirectoryA, GetCurrentDirectoryA, DeleteFileA, SetConsoleCP, GetStartupInfoA, WriteConsoleW, GetProcessHeap, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, CreateProcessA, GetTickCount, CloseHandle, HeapSize, VirtualProtect, FindNextFileA, FindFirstFileExA, FindClose, HeapReAlloc, WideCharToMultiByte, GetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, MultiByteToWideChar, EncodePointer, DecodePointer, SetLastError, InitializeCriticalSectionAndSpinCount, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, CompareStringW, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, RtlUnwind, InterlockedFlushSList, FreeLibrary, LoadLibraryExW, CreateFileW, GetFileType, ExitProcess, GetModuleHandleExW, GetModuleFileNameA, HeapAlloc, HeapFree, GetACP, GetStdHandle, GetTimeZoneInformation, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, SetStdHandle, WriteFile, GetConsoleCP, GetConsoleMode, SetEndOfFile, ReadFile, ReadConsoleW, SetFilePointerEx, FlushFileBuffers
USER32.dll	GetClipboardData, SendMessageA, DestroyWindow, CheckRadioButton, SendDlgItemMessageW, SetClipboardData, SetForegroundWindow
ole32.dll	CoTaskMemFree, CoInitialize, CoTaskMemAlloc, CoUninitialize
ADVAPI32.dll	RegOpenKeyExA, RegCreateKeyA, RegCloseKey, RegQueryValueExA
WTSAPI32.dll	WTSCloseServer, WTSOpenServerA
NETAPI32.dll	NetWkstaGetInfo, NetWkstaSetInfo, NetApiBufferFree

Exports

Name	Ordinal	Address
Busysection	1	0x1028480
Dealthis	2	0x1028730
Sing	3	0x1028560
Teethshould	4	0x1027390

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 12, 2021 11:35:42.834290981 CEST	64267	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:42.848416090 CEST	53	64267	8.8.8.8	192.168.2.6
Jul 12, 2021 11:35:46.661123037 CEST	49448	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:46.674065113 CEST	53	49448	8.8.8.8	192.168.2.6
Jul 12, 2021 11:35:47.399993896 CEST	60342	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:47.450851917 CEST	53	60342	8.8.8.8	192.168.2.6
Jul 12, 2021 11:35:48.212610006 CEST	61346	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:48.225739002 CEST	53	61346	8.8.8.8	192.168.2.6
Jul 12, 2021 11:35:49.004206896 CEST	51774	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:49.017424107 CEST	53	51774	8.8.8.8	192.168.2.6
Jul 12, 2021 11:35:50.301012993 CEST	56023	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:50.314498901 CEST	53	56023	8.8.8.8	192.168.2.6
Jul 12, 2021 11:35:51.185600042 CEST	58384	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:51.198560953 CEST	53	58384	8.8.8.8	192.168.2.6
Jul 12, 2021 11:35:52.219711065 CEST	60261	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:52.233320951 CEST	53	60261	8.8.8.8	192.168.2.6
Jul 12, 2021 11:35:53.003760099 CEST	56061	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:35:53.018810987 CEST	53	56061	8.8.8.8	192.168.2.6
Jul 12, 2021 11:36:41.612941027 CEST	58336	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:36:41.633929968 CEST	53	58336	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:20.566775084 CEST	53781	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:20.579951048 CEST	53	53781	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:21.662216902 CEST	54064	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:21.675820112 CEST	53	54064	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:22.344091892 CEST	52811	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:22.364754915 CEST	53	52811	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:23.359174967 CEST	55299	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:23.372114897 CEST	53	55299	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:24.318350077 CEST	63745	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:24.334407091 CEST	53	63745	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:24.973493099 CEST	50055	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:24.986274958 CEST	53	50055	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:25.855635881 CEST	61374	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:25.869664907 CEST	53	61374	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:27.298402071 CEST	50339	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:27.311743021 CEST	53	50339	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:28.336294889 CEST	63307	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:28.350296974 CEST	53	63307	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:32.265516043 CEST	49694	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:32.306720972 CEST	53	49694	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:32.773094893 CEST	54982	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:32.786079884 CEST	53	54982	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:34.031423092 CEST	50010	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:34.045018911 CEST	53	50010	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:34.876960039 CEST	63718	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:34.891311884 CEST	53	63718	8.8.8.8	192.168.2.6
Jul 12, 2021 11:37:52.291438103 CEST	62116	53	192.168.2.6	8.8.8.8
Jul 12, 2021 11:37:52.305675983 CEST	53	62116	8.8.8.8	192.168.2.6

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 12, 2021 11:37:32.306720972 CEST	8.8.8.8	192.168.2.6	0xf4ff	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jul 12, 2021 11:37:34.045018911 CEST	8.8.8.8	192.168.2.6	0xdc08	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 2392 Parent PID: 5888

General

Start time:	11:35:51
Start date:	12/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll'
Imagebase:	0x8a0000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 2200 Parent PID: 2392

General

Start time:	11:35:51
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6072 Parent PID: 2392

General

Start time:	11:35:52
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6068 Parent PID: 2200

General

Start time:	11:35:52
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 644 Parent PID: 2392

General

Start time:	11:35:56
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 1312 Parent PID: 2392

General

Start time:	11:36:03
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: rundll32.exe PID: 2924 Parent PID: 2392

General

Start time:	11:36:10
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
Imagebase:	0x1c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 3860 Parent PID: 644

General

Start time:	11:37:21
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 652
Imagebase:	0x190000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 5776 Parent PID: 644

General

Start time:	11:37:21
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 644
Imagebase:	0x190000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 4840 Parent PID: 2924

General

Start time:	11:37:21
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652
Imagebase:	0x190000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WerFault.exe PID: 2948 Parent PID: 2924

General

Start time:	11:37:39
Start date:	12/07/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 660
Imagebase:	0x190000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report lj3H69Z3Io.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

UDP Packets

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 2392 Parent PID: 5888

General

Analysis Process: cmd.exe PID: 2200 Parent PID: 2392

General

Analysis Process: rundll32.exe PID: 6072 Parent PID: 2392

General

Analysis Process: rundll32.exe PID: 6068 Parent PID: 2200

General

Analysis Process: rundll32.exe PID: 644 Parent PID: 2392

General