Loading ...

Play interactive tourEdit tour

Windows Analysis Report hMUh2Mkqyi

Overview

General Information

Sample Name:hMUh2Mkqyi (renamed file extension from none to dll)
Analysis ID:545441
MD5:8337dd22aa86bc357f8bc573441a97c7
SHA1:6dc2600455a42651c95c3b612406dabd1182bfee
SHA256:0341b7e0b66e27bee166ba1fd9fad700d85e58a257bbfed1b60a662d97fc1617
Tags:32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Tries to load missing DLLs
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6908 cmdline: loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6940 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6992 cmdline: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 4428 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 740 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6980 cmdline: rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 856 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.380457750.000000006E9F1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000004.00000000.361402259.000000006E9F1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000004.00000000.364148041.000000006E9F1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          00000005.00000000.355576755.000000006E9F1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.rundll32.exe.6e9f0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              1.2.loaddll32.exe.6e9f0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                4.0.rundll32.exe.6e9f0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  4.0.rundll32.exe.6e9f0000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    5.0.rundll32.exe.6e9f0000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6940, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, ProcessId: 6992

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.loaddll32.exe.6e9f0000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: hMUh2Mkqyi.dllVirustotal: Detection: 64%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: hMUh2Mkqyi.dllJoe Sandbox ML: detected
                      Source: hMUh2Mkqyi.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: hMUh2Mkqyi.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wininet.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: winmm.pdb4 source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: winmm.pdb: source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.361363751.00000000053F4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361895023.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361413981.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.368940345.0000000001132000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367568231.000000000502C000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: ntdsapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb* source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.373455294.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.362573150.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361405095.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.369578388.000000000112C000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb$ source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbF source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376980156.00000000055E5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb| source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb< source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.378039548.0000000001032000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.384410910.0000000000AD2000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbF source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbh source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.361423675.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361718983.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367632263.0000000001138000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb0 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb" source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.362573150.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361405095.000000000369E000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376980156.00000000055E5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbr source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb{3 source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.373455294.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb6 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: winmm.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb4 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: esent.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: pdh.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: ffty.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp, hMUh2Mkqyi.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.361423675.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361718983.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367632263.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.361895023.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361413981.00000000036A4000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: lz32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbf source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb` source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 104.36.167.47:443
                      Source: Malware configuration extractorIPs: 188.40.48.93:4664
                      Source: Malware configuration extractorIPs: 162.241.33.132:9217
                      Source: Malware configuration extractorIPs: 217.160.5.104:593
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewASN Name: GIGASNET-ASUS GIGASNET-ASUS
                      Source: Joe Sandbox ViewIP Address: 162.241.33.132 162.241.33.132
                      Source: Joe Sandbox ViewIP Address: 104.36.167.47 104.36.167.47
                      Source: WerFault.exe, 0000000E.00000003.376910791.0000000005304000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.376825293.0000000005303000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.378758827.0000000005305000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 5.2.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6e9f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.6e9f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.6e9f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.380457750.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.361402259.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.364148041.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810044742.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.355576755.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.357282433.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: hMUh2Mkqyi.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: hMUh2Mkqyi.dllBinary or memory string: OriginalFilenameHen.dllD vs hMUh2Mkqyi.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 740
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: lz32.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6EA007301_2_6EA00730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6EA093701_2_6EA09370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E9F14941_2_6E9F1494
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E9FA4E81_2_6E9FA4E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6EA0143C1_2_6EA0143C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E9F84281_2_6E9F8428
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6EA02234 NtDelayExecution,1_2_6EA02234
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6EA02820 NtAllocateVirtualMemory,1_2_6EA02820
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E9FBB44 NtClose,1_2_6E9FBB44
                      Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 98%
                      Source: hMUh2Mkqyi.dllVirustotal: Detection: 64%
                      Source: hMUh2Mkqyi.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 740
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 856
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,WgpomsdeeomtunmdrtJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6980
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6992
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED8.tmpJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winDLL@9/10@0/4
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: hMUh2Mkqyi.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: hMUh2Mkqyi.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wininet.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: winmm.pdb4 source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: winmm.pdb: source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.361363751.00000000053F4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361895023.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361413981.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.368940345.0000000001132000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367568231.000000000502C000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: ntdsapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb* source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.373455294.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.362573150.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361405095.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.369578388.000000000112C000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdb$ source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbF source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376980156.00000000055E5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb| source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb< source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000E.00000002.378039548.0000000001032000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000002.384410910.0000000000AD2000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbF source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbh source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.361423675.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361718983.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367632263.0000000001138000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: powrprof.pdb0 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb" source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.362573150.000000000369E000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361405095.000000000369E000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376980156.00000000055E5000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbr source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb{3 source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.373455294.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdb6 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: winmm.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb4 source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: esent.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: pdh.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: ffty.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp, hMUh2Mkqyi.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.361423675.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361718983.00000000036AA000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.367632263.0000000001138000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376917644.00000000055E2000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.367515508.00000000059F0000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376967246.00000000055E0000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.361895023.00000000036A4000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.361413981.00000000036A4000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: lz32.pdb source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376995596.00000000055E8000.00000004.00000040.sdmp, WerFault.exe, 00000012.00000003.376924560.00000000055E8000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.367500423.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.376845457.00000000054A1000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbf source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb` source: WerFault.exe, 0000000E.00000003.367524898.00000000059F6000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E9FF6A8 push esi; mov dword ptr [esp], 00000000h1_2_6E9FF6A9
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: OutputDebugStringW count: 1680
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1680Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6EA00730 GetTokenInformation,GetSystemInfo,GetTokenInformation,1_2_6EA00730
                      Source: Amcache.hve.14.drBinary or memory string: VMware
                      Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.14.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.14.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 0000000E.00000002.378850405.00000000053D9000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.378912915.0000000005402000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.378456295.00000000035E8000.00000004.00000020.sdmp, WerFault.exe, 0000000E.00000003.376896256.0000000005402000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.14.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E9F6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,1_2_6E9F6D0C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6EA03138 RtlAddVectoredExceptionHandler,1_2_6EA03138
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1Jump to behavior
                      Source: loaddll32.exe, 00000001.00000002.808601203.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.363634450.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.360726990.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.357050923.0000000003380000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.355008368.0000000003380000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000001.00000002.808601203.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.363634450.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.360726990.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.357050923.0000000003380000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.355008368.0000000003380000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000001.00000002.808601203.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.363634450.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.360726990.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.357050923.0000000003380000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.355008368.0000000003380000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000001.00000002.808601203.00000000013C0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.363634450.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.360726990.0000000003980000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.357050923.0000000003380000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.355008368.0000000003380000.00000002.00020000.sdmpBinary or memory string: Progmanlock