Loading ...

Play interactive tourEdit tour

Windows Analysis Report G7ABVJxc3Z.dll

Overview

General Information

Sample Name:G7ABVJxc3Z.dll
Analysis ID:545442
MD5:47c59530065e8e7e05a855879bf8a922
SHA1:8fba3ea2428f92e8dc8497514d0817b54edc5be0
SHA256:e4db910a4147ac44bef76f71e6b0d6bd193b89a6268dda35f3b1c210cc111fe4
Tags:32dllDridexexetrojan
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Tries to load missing DLLs
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6380 cmdline: loaddll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6376 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6484 cmdline: rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 5728 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 740 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6496 cmdline: rundll32.exe C:\Users\user\Desktop\G7ABVJxc3Z.dll,Wgpomsdeeomtunmdrt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4864 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 864 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.740603075.000000006E471000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000003.00000002.831692261.000000006E471000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000000.00000002.1054100443.000000006E471000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000002.00000000.742949248.000000006E471000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          00000003.00000000.733407707.000000006E471000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.rundll32.exe.6e470000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              2.0.rundll32.exe.6e470000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                3.2.rundll32.exe.6e470000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  2.0.rundll32.exe.6e470000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    0.2.loaddll32.exe.6e470000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6376, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1, ProcessId: 6484

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.0.rundll32.exe.6e470000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: G7ABVJxc3Z.dllVirustotal: Detection: 64%Perma Link
                      Source: G7ABVJxc3Z.dllReversingLabs: Detection: 67%
                      Machine Learning detection for sampleShow sources
                      Source: G7ABVJxc3Z.dllJoe Sandbox ML: detected
                      Source: G7ABVJxc3Z.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: G7ABVJxc3Z.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: advapi32.pdbg source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: wininet.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: shlwapi.pdb- source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.738518668.00000000047D6000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.746276509.00000000052BA000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: dwmapi.pdb9 source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: WINMMBASE.pdb/ source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb[ source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: ntdsapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: combase.pdb7 source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: powrprof.pdbO source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.775462596.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754227326.0000000005005000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000A.00000002.766190081.00000000030C2000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbE source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: fltLib.pdbO source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.739048993.0000000002A3C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: imagehlp.pdbI source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: sechost.pdb# source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: lz32.pdbo source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb; source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ffty.pdbb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: msctf.pdbW source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754227326.0000000005005000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: propsys.pdbQ source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdba source: WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.775462596.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: bcrypt.pdb] source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: winmm.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wsspicli.pdbg source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: bcrypt.pdba source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: esent.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: esent.pdbM source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: pdh.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ffty.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp, G7ABVJxc3Z.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: ole32.pdbC source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: lz32.pdb= source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ole32.pdb1 source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: lz32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: sfc_os.pdb] source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ws2_32.pdbE source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wimm32.pdbS source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: esent.pdb3 source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wininet.pdb) source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 104.36.167.47:443
                      Source: Malware configuration extractorIPs: 188.40.48.93:4664
                      Source: Malware configuration extractorIPs: 162.241.33.132:9217
                      Source: Malware configuration extractorIPs: 217.160.5.104:593
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewASN Name: GIGASNET-ASUS GIGASNET-ASUS
                      Source: Joe Sandbox ViewIP Address: 162.241.33.132 162.241.33.132
                      Source: Joe Sandbox ViewIP Address: 104.36.167.47 104.36.167.47
                      Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 3.0.rundll32.exe.6e470000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.6e470000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e470000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.rundll32.exe.6e470000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e470000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.6e470000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000000.740603075.000000006E471000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.831692261.000000006E471000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1054100443.000000006E471000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000000.742949248.000000006E471000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.733407707.000000006E471000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.734461323.000000006E471000.00000020.00020000.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Source: G7ABVJxc3Z.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: G7ABVJxc3Z.dllBinary or memory string: OriginalFilenameHen.dllD vs G7ABVJxc3Z.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 740
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: lz32.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E480730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E489370
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E478428
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E48143C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E47A4E8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E471494
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E482234 NtDelayExecution,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E482820 NtAllocateVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E47BB44 NtClose,
                      Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 98%
                      Source: G7ABVJxc3Z.dllVirustotal: Detection: 64%
                      Source: G7ABVJxc3Z.dllReversingLabs: Detection: 67%
                      Source: G7ABVJxc3Z.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\G7ABVJxc3Z.dll,Wgpomsdeeomtunmdrt
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\G7ABVJxc3Z.dll,Wgpomsdeeomtunmdrt
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 740
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 864
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\G7ABVJxc3Z.dll,Wgpomsdeeomtunmdrt
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6496
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6484
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE64C.tmpJump to behavior
                      Source: classification engineClassification label: mal80.troj.evad.winDLL@9/10@0/4
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: G7ABVJxc3Z.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: G7ABVJxc3Z.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: advapi32.pdbg source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: wininet.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: shlwapi.pdb- source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.738518668.00000000047D6000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.746276509.00000000052BA000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: dwmapi.pdb9 source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: WINMMBASE.pdb/ source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb[ source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: ntdsapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: combase.pdb7 source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: powrprof.pdbO source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.775462596.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754227326.0000000005005000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: a[ojr^oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000A.00000002.766190081.00000000030C2000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbE source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: fltLib.pdbO source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.739048993.0000000002A3C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: imagehlp.pdbI source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: sechost.pdb# source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: lz32.pdbo source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb; source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ffty.pdbb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: msctf.pdbW source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754227326.0000000005005000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: propsys.pdbQ source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdba source: WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.775462596.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: bcrypt.pdb] source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: winmm.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wsspicli.pdbg source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: bcrypt.pdba source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: esent.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: esent.pdbM source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: pdh.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ffty.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp, G7ABVJxc3Z.dll
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: ole32.pdbC source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: lz32.pdb= source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754153760.0000000005002000.00000004.00000010.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.743939935.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754217148.0000000005000000.00000004.00000010.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ole32.pdb1 source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.743926557.0000000004C61000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.754112021.0000000005731000.00000004.00000001.sdmp
                      Source: Binary string: lz32.pdb source: WerFault.exe, 00000007.00000003.743950383.0000000004E26000.00000004.00000040.sdmp, WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: sfc_os.pdb] source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: ws2_32.pdbE source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wimm32.pdbS source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: esent.pdb3 source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: Binary string: wininet.pdb) source: WerFault.exe, 0000000A.00000003.754238093.0000000005008000.00000004.00000010.sdmp, WerFault.exe, 0000000A.00000003.754170078.0000000005008000.00000004.00000010.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E47F6A8 push esi; mov dword ptr [esp], 00000000h
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: OutputDebugStringW count: 1023
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1023
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E480730 GetTokenInformation,GetSystemInfo,GetTokenInformation,
                      Source: Amcache.hve.7.drBinary or memory string: VMware
                      Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.7.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.7.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                      Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.7.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 00000007.00000002.828834877.00000000046DD000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.me
                      Source: WerFault.exe, 00000007.00000002.828906056.00000000047D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWX(n
                      Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E476D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E483138 RtlAddVectoredExceptionHandler,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1
                      Source: loaddll32.exe, 00000000.00000002.1053899342.00000000018E0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.742448049.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.739881173.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.733270905.0000000003A00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.734263987.0000000003A00000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.1053899342.00000000018E0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.742448049.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.739881173.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.733270905.0000000003A00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.734263987.0000000003A00000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.1053899342.00000000018E0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.742448049.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.739881173.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.733270905.0000000003A00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.734263987.0000000003A00000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.1053899342.00000000018E0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.742448049.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.739881173.0000000002F00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.733270905.0000000003A00000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.734263987.0000000003A00000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E476D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                      Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection12Virtualization/Sandbox Evasion1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection12LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545442 Sample: G7ABVJxc3Z.dll Startdate: 26/12/2021 Architecture: WINDOWS Score: 80 22 162.241.33.132 UNIFIEDLAYER-AS-1US United States 2->22 24 217.160.5.104 ONEANDONE-ASBrauerstrasse48DE Germany 2->24 26 2 other IPs or domains 2->26 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Dridex unpacked file 2->32 34 3 other signatures 2->34 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 36 Tries to delay execution (extensive OutputDebugStringW loop) 9->36 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        process6 process7 16 rundll32.exe 12->16         started        18 WerFault.exe 9 14->18         started        process8 20 WerFault.exe 23 9 16->20         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      G7ABVJxc3Z.dll65%VirustotalBrowse
                      G7ABVJxc3Z.dll67%ReversingLabsWin32.Infostealer.Dridex
                      G7ABVJxc3Z.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.5b0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.0.rundll32.exe.3280000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.0.rundll32.exe.3280000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.3280000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.0.rundll32.exe.6e470000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      2.0.rundll32.exe.5b0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.rundll32.exe.6e470000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      3.0.rundll32.exe.6e470000.5.unpack100%AviraHEUR/AGEN.1144420Download File
                      0.2.loaddll32.exe.1180000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.0.rundll32.exe.6e470000.5.unpack100%AviraHEUR/AGEN.1144420Download File
                      0.2.loaddll32.exe.6e470000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                      2.0.rundll32.exe.5b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.0.rundll32.exe.6e470000.2.unpack100%AviraHEUR/AGEN.1144420Download File

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://upx.sf.netAmcache.hve.7.drfalse
                        high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        162.241.33.132
                        unknownUnited States
                        46606UNIFIEDLAYER-AS-1UStrue
                        104.36.167.47
                        unknownUnited States
                        27640GIGASNET-ASUStrue
                        217.160.5.104
                        unknownGermany
                        8560ONEANDONE-ASBrauerstrasse48DEtrue
                        188.40.48.93
                        unknownGermany
                        24940HETZNER-ASDEtrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:545442
                        Start date:26.12.2021
                        Start time:17:25:28
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 6m 39s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:G7ABVJxc3Z.dll
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Run name:Run with higher sleep bypass
                        Number of analysed new started processes analysed:23
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal80.troj.evad.winDLL@9/10@0/4
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 56.1% (good quality ratio 52.2%)
                        • Quality average: 77.2%
                        • Quality standard deviation: 30.1%
                        HCA Information:
                        • Successful, ratio: 53%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                        • Found application associated with file extension: .dll
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 92.122.145.220, 52.182.143.212
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                        • Not all processes where analyzed, report is missing behavior information

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4d42c1f24c11b6c9a2fc199d7a28c798fe9e5a_82810a17_173d852c\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):0.9654598579721348
                        Encrypted:false
                        SSDEEP:192:IniV0oX3CHBUZMX4jed+RU/u7sHS274ItWc:4i7XqBUZMX4jeH/u7sHX4ItWc
                        MD5:93091EC43D665EC917DA2B6DEF3C1986
                        SHA1:C2F1761C9D079582704C4E1EB9D7B6E071E2B8A0
                        SHA-256:06910F058548C44A52ABA2D0F95F71C2F84B7CB608702A4D630DB06A5191D98E
                        SHA-512:8A855DE218DAAEDF1479D6134A8513E7ED9836202A41B85AC90B3CF02F48B23EEE6E8DD8A4598D27732A394AB3F2EB08FEA7969B4ADC47B9ECFB513F4BADB153
                        Malicious:false
                        Reputation:low
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.0.0.9.6.1.9.8.8.7.7.1.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.5.0.0.9.6.2.7.4.9.7.0.2.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.f.2.8.9.9.8.-.b.6.2.1.-.4.3.c.8.-.a.9.4.d.-.0.b.d.9.d.1.e.3.a.5.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.4.6.2.a.3.6.-.f.5.7.4.-.4.5.d.9.-.8.7.1.e.-.0.f.2.8.8.c.a.7.2.1.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.4.-.0.0.0.1.-.0.0.1.b.-.c.6.5.4.-.d.2.5.1.7.5.f.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.
                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_dd9d398ae70aa8478325646a49f7ebef948b8_82810a17_125d0cc0\Report.wer
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):1.0000448208544093
                        Encrypted:false
                        SSDEEP:192:sqifB0oXkHVzOMjed+x8/u7sOS274It7c:sqifvXsVzOMje3/u7sOX4It7c
                        MD5:717352CD42907A1560CC3A9878394AF7
                        SHA1:8219062D9152D35481EACA6E77AB659CCC92C01D
                        SHA-256:3B77FF498A4AD8C84A4FCC826A420B93C27EB86B2FA2867D3F78A5502B96EFFC
                        SHA-512:DDA2C9E5ED4D60F91CC0636184F3EEDD2F9ACE92C9C3A8C2BCEBB1C7386C0EB0DFE9E8CB966542A3E11A65152F6D18C7A8B7D2DBCF6356F4BBDC89293D22C047
                        Malicious:false
                        Reputation:low
                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.0.0.9.6.2.4.1.2.5.1.7.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.f.f.a.a.1.e.-.6.b.7.a.-.4.b.2.b.-.9.d.1.f.-.d.a.5.f.2.0.7.2.7.0.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.a.6.5.c.b.8.-.4.3.a.4.-.4.2.f.a.-.9.c.0.6.-.4.2.5.a.0.3.7.e.4.1.f.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.6.0.-.0.0.0.1.-.0.0.1.b.-.f.3.d.6.-.c.e.5.1.7.5.f.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER427.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4731
                        Entropy (8bit):4.4479686247920664
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zs5JgtWI9+i7WSC8BF8fm8M4JCdsA97Fej+q8vjsA9B4SrSOd:uITfLZiKSNYJyKKzzDWOd
                        MD5:EEABF8D07101FD6411D2E76E3A546286
                        SHA1:1D85E981286F68BBFBFEC81169E4766F082EE88F
                        SHA-256:1A41F6023E303ED99DBA0945C98141C450E61F4D47C962479000937E7B5FE2B1
                        SHA-512:4B090B15289481F7EFA4FBBA52A0A60B5CCF689EB8DCF1F9E8D0D28937BFBB4919431975D5558EAEE5E0ED329B27A333DFA34AA915BA0DF99165A5F3806E961E
                        Malicious:false
                        Reputation:low
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1314817" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE64C.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 14 streams, Sun Dec 26 16:27:01 2021, 0x1205a4 type
                        Category:dropped
                        Size (bytes):46978
                        Entropy (8bit):2.1386478701324085
                        Encrypted:false
                        SSDEEP:192:WmsgUOTajHiAM6SM4eO5Skb44ynjngyfxTlT/qw86om6nxTLzdeXYeq:bPabcBb5Lb44ynjgujqxTLz0I3
                        MD5:206968ED73ECB16B39091E3625D9E8B0
                        SHA1:2A98F0A379AAE0F97913FC801ECF159E09255E4E
                        SHA-256:CFE4A48F936677001FD583B3956081ABCB47071C47667F57C36FDB7721078FBA
                        SHA-512:5DF3181BBE7CB38549AA965B8AA69EFD5984DB683C18834104A42009AA840947900261077FDEF7B92CB460F840891E129A6E74E43AD2636DDB6FB3350E151A1B
                        Malicious:false
                        Reputation:low
                        Preview: MDMP....... .........a........................`................1..........T.......8...........T...........p................................................................................................U...........B....... ......GenuineIntelW...........T.......T......a.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE1D.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8272
                        Entropy (8bit):3.6954724365915483
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNiTa6ft16YnY66VgmfTwDSD+prV89bIZoSmsf7uZm:RrlsNiO6ft16YY66VgmfTUS1IZoSFf6U
                        MD5:7DF9F40560D821B578853C8AC59820CF
                        SHA1:AC4C351449BD25EA0C96154B639608C4DBDFC9E3
                        SHA-256:72B22A8BBF5A8C54889D0C69E38A657A6E80ADD044B13984DF2FA06AE0E08D50
                        SHA-512:1CEC619AA943A0811847BDE98A7E002BBF862C21C2D843B4A4F3F6E272F62BB08F404E17B5F3F2493D032B9D5932255612A558D75FDB60C51992872BD9686BCA
                        Malicious:false
                        Reputation:low
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.4.<./.P.i.d.>.......
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF36D.tmp.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4630
                        Entropy (8bit):4.462773353078608
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zs5JgtWI9+i7WSC8By8fm8M4JCdsA9DFoVk+q8/F5n/4SrSLd:uITfLZiKSN9JyVCVDWLd
                        MD5:2B32C46F97FB98D0B8ED6299C04C3C60
                        SHA1:ED6759009A19FA06FFB87EDBA2368A5C6A6018F9
                        SHA-256:1A867D30844F3A066C98E1937B7F9BEA48BA66FCDD7D8413603B536A059E9431
                        SHA-512:93B87F21C32F2BF80ED38233F9D46A62FDF3190A7F1E71E9D41CE010DBE97D23E9EFE0AC65DF1ED03FD9ED39B77526A4936ECADEE4EAAA70B063C6155F35E13E
                        Malicious:false
                        Reputation:low
                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1314817" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6D6.tmp.dmp
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Sun Dec 26 16:27:06 2021, 0x1205a4 type
                        Category:dropped
                        Size (bytes):48114
                        Entropy (8bit):2.214478850648368
                        Encrypted:false
                        SSDEEP:192:spSTPOAweBQ1yPO5Skb0n5F8OAJBMhY7Cic64tYqRd:5R7Wp5LbauJJ7oOqf
                        MD5:CDA1D8C55F50A313FF3D2A7329EBCAE7
                        SHA1:96F7234CF1C8F68C220804F09D1C3AB22382D81C
                        SHA-256:9CC5AF8951F9F570166671864ABC67DE2093209CC54F3495DB89B9CF96745D06
                        SHA-512:BD069989775B4E5CCF8727CAA79E413D20F3E216E5888F247981A90785D42FF1D9C4A072A60324871F09DC0DB4600BC0F5C30CEC714BDCB7135A872A27442213
                        Malicious:false
                        Reputation:low
                        Preview: MDMP....... .........a........................|...........$...$ ...........4..........`.......8...........T............"..............H ..........4"...................................................................U...........B......."......GenuineIntelW...........T.......`......a.............................0..=...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9.tmp.WERInternalMetadata.xml
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8352
                        Entropy (8bit):3.6888277131607947
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNiwo6L6YnY6Dgmf8ZSY+pB789bI9ssf/ulm:RrlsNiX6L6YY6Dgmf8ZSKI9/f2o
                        MD5:C67D9D1CFEB29DE16FC73541620A6BCC
                        SHA1:2FA1A6B3F4D4FC257A7BC337F10061B33109CEAA
                        SHA-256:C3D56890FC63DA7B18860D0C3C9B9761FD843466BB42707F6C7B418EA11FEEBF
                        SHA-512:D9FEA34D57691311F930763F5BFAABCCE36CE3705337A9783152197E3E002F14DB5292B832B316D9D2D12FB6FA5CE99195AA3A85B06BD43AD8C47A9818561675
                        Malicious:false
                        Reputation:low
                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.9.6.<./.P.i.d.>.......
                        C:\Windows\appcompat\Programs\Amcache.hve
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1572864
                        Entropy (8bit):4.240225930170385
                        Encrypted:false
                        SSDEEP:12288:vq9elvRGZTfXh9g7lg9YTkV8gUnsMhEhczXfTDaT6toEwdfj:S9elvRGZTfR9g7vhg
                        MD5:B33794E3C6B1BEB6D6B2581831709E4D
                        SHA1:BC9BB5B86AE5D7EC84E8F45ED0B93F5C03A27AE3
                        SHA-256:2AC4F58765C291C6D51B5C2CA28421A9996607457DD0D05F8BF5275FC7F28759
                        SHA-512:55DD41010C8783E6CE731A7FD38AB9A3897756A759264C7157E61F65DEC3E22B5ADE92CCE1564447005E2FB65E744C4F4B1B0867B8874A00C009F09EFEF43CA3
                        Malicious:false
                        Reputation:low
                        Preview: regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm^Z_gu...............................................................................................................................................................................................................................................................................................................................................kc[:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):20480
                        Entropy (8bit):3.407583074430547
                        Encrypted:false
                        SSDEEP:384:OH5GY5K5PPv4EgnVVeeDzeQ1NKZtjoT8GpwL1033SYH:ipKjg/eeDzeuNYtjpGpwLkSY
                        MD5:3A7B0EC19DB89A30EB62BF9891DF07F8
                        SHA1:95EA4D60CA49F5DB36207E645B5EB1B936190159
                        SHA-256:1771EAB3A5D72F77997C3029E5900693DFDC0057DB2038548A9702B74864B397
                        SHA-512:D355B50B97CBF4C65894924B0A115B91A5487AB96685FFB3F23349EC9E3F6214A24CFDC58DFDBBECADC5489A0E8C196FF039183A75052AB46C4639CB7CCBA60C
                        Malicious:false
                        Preview: regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm^Z_gu...............................................................................................................................................................................................................................................................................................................................................mc[:HvLE.N......G................-..{k!.dhS..................... ..hbin................p.\..,..........nk,..agu................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..agu....... ........................... .......Z.......................Root........lf......Root....nk ..agu................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

                        Static File Info

                        General

                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.269426930570889
                        TrID:
                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                        • Generic Win/DOS Executable (2004/3) 0.20%
                        • DOS Executable Generic (2002/1) 0.20%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:G7ABVJxc3Z.dll
                        File size:536576
                        MD5:47c59530065e8e7e05a855879bf8a922
                        SHA1:8fba3ea2428f92e8dc8497514d0817b54edc5be0
                        SHA256:e4db910a4147ac44bef76f71e6b0d6bd193b89a6268dda35f3b1c210cc111fe4
                        SHA512:c99e35f6313aa75f24b7bdb1cc9e91eb7246dd7cd79de9c18f50d1f6ee27984ff075c108d1025e16dbd6d03087d11bcb6f927c5773e8a03d7bdd02c204782a42
                        SSDEEP:6144:4KMImhktm7mnmvetmzK/kxwv4Zm7mREqZzdazdULd54f3X0kdVtL8faGAPlX:49hXAg5aX0CL8fI
                        File Content Preview:MZ......................@...................................P......E;...;...;....Xl.....................2.4.^....uh.{...6.F......Xl.....F.z..............u..........z.......................@...8.{.G...;.......Rich;..........................................

                        File Icon

                        Icon Hash:74f0e4ecccdce0e4

                        Static PE Info

                        General

                        Entrypoint:0x10005a10
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x10000000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x61B705D1 [Mon Dec 13 08:35:29 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:0
                        File Version Major:5
                        File Version Minor:0
                        Subsystem Version Major:5
                        Subsystem Version Minor:0
                        Import Hash:e9192d34e4c9dcdf739aaa1d74025eb2

                        Entrypoint Preview

                        Instruction
                        mov edx, 00000003h
                        cmpps xmm1, xmm0, 02h
                        add eax, 0Ch
                        add eax, 0Ch
                        add eax, 0Ch
                        add eax, 0Ch
                        add eax, 0Ch
                        add eax, 0Ch
                        cmp edx, 03h
                        je 00007F8410AF0892h
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        int3
                        push ebp
                        mov ebp, esp
                        push edi
                        push ebx
                        push esi
                        and esp, FFFFFFF8h
                        sub esp, 000000A0h
                        mov eax, dword ptr [ebp+08h]
                        mov ecx, 006B34C2h
                        mov edx, dword ptr [esp+7Ch]
                        mov dword ptr [esp+7Ch], 3CDA3086h
                        mov dword ptr [esp+00000094h], 00000000h
                        mov dword ptr [esp+00000090h], 006C4587h
                        mov byte ptr [esp+7Ah], FFFFFFBDh
                        mov dword ptr [esp+74h], 629729F9h
                        mov byte ptr [esp+65h], FFFFFFF1h
                        mov dword ptr [esp+38h], 694CC273h
                        mov esi, dword ptr [esp+00000094h]
                        mov edi, dword ptr [esp+00000090h]
                        mov ebx, edi
                        add ebx, 171E5389h
                        mov dword ptr [esp+30h], eax
                        mov eax, esi
                        adc eax, 00000000h
                        mov dword ptr [esp+48h], ebx
                        mov dword ptr [esp+4Ch], eax
                        mov dword ptr [esp+2Ch], edi
                        mov dword ptr [esp+28h], ecx
                        mov dword ptr [esp+24h], edx
                        mov dword ptr [esp+20h], esi
                        call 00007F8410AF4296h
                        mov ecx, 4C276534h
                        mov edx, dword ptr [esp+2Ch]

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x780d00x64.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x781b00x17c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x2f0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x830000x1214.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x90f00x38.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x90000xe8.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x74d80x8000False0.360290527344data4.61113521989IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x90000x6fff80x70000False0.311179024833data7.3778786518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x790000x80f40x7000False0.295828683036data6.02916609898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x820000xec80x1000False0.090087890625data0.784979301457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x830000x12140x2000False0.287475585938data4.27724948186IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x820600x290MS Windows COFF PA-RISC object fileEnglishUnited States

                        Imports

                        DLLImport
                        KERNEL32.dllCreateFileW, GetProcessVersion, GetModuleFileNameW, CloseHandle, VirtualAllocEx, DeleteTimerQueue, InitAtomTable
                        msvcrt.dllwcscoll
                        SETUPAPI.dllSetupDiOpenDeviceInterfaceW
                        WININET.dllInternetReadFile
                        RPCRT4.dllRpcMgmtSetCancelTimeout, NdrGetUserMarshalInfo
                        LZ32.dllLZCopy
                        USER32.dllBlockInput, TranslateMessage, FillRect, GetWindowTextA, DefMDIChildProcW, GetWindowContextHelpId, IsWinEventHookInstalled, GetClassNameA
                        NTDSAPI.dllDsGetDomainControllerInfoW
                        IPHLPAPI.DLLGetIpAddrTable
                        WS2_32.dllWSACleanup, inet_addr
                        IMM32.dllImmGetCandidateListW
                        ADVAPI32.dllCreateRestrictedToken, CryptGenKey, CryptAcquireContextW, RegCloseKey, CryptContextAddRef
                        GDI32.dllGetViewportOrgEx, SetWindowOrgEx
                        pdh.dllPdhAddCounterW
                        ole32.dllCoCreateInstanceEx, CoGetObjectContext, StringFromGUID2
                        WINMM.dllwaveOutGetPitch
                        SHLWAPI.dllAssocGetPerceivedType
                        ESENT.dllJetInit

                        Exports

                        NameOrdinalAddress
                        Wgpomsdeeomtunmdrt10x10078125

                        Version Infos

                        DescriptionData
                        OriginalFilenameHen.dll
                        FileDescriptionOracle Call Interface
                        FileVersion7.0.2.1.0
                        Legal CopyrightCopyright Oracle Corporation 1979, 2001. All rights reserved.
                        CompanyNameOracle Corporation
                        Translation0x0409 0x04b0

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        No network behavior found

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Start time:17:26:21
                        Start date:26/12/2021
                        Path:C:\Windows\System32\loaddll32.exe
                        Wow64 process (32bit):true
                        Commandline:loaddll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll"
                        Imagebase:0xc30000
                        File size:116736 bytes
                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.1054100443.000000006E471000.00000020.00020000.sdmp, Author: Joe Security
                        Reputation:moderate

                        General

                        Start time:17:26:21
                        Start date:26/12/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1
                        Imagebase:0x11d0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Start time:17:26:22
                        Start date:26/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe C:\Users\user\Desktop\G7ABVJxc3Z.dll,Wgpomsdeeomtunmdrt
                        Imagebase:0xa50000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.740603075.000000006E471000.00000020.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.742949248.000000006E471000.00000020.00020000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Start time:17:26:22
                        Start date:26/12/2021
                        Path:C:\Windows\SysWOW64\rundll32.exe
                        Wow64 process (32bit):true
                        Commandline:rundll32.exe "C:\Users\user\Desktop\G7ABVJxc3Z.dll",#1
                        Imagebase:0xa50000
                        File size:61952 bytes
                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.831692261.000000006E471000.00000020.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.733407707.000000006E471000.00000020.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.734461323.000000006E471000.00000020.00020000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Start time:17:26:57
                        Start date:26/12/2021
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 740
                        Imagebase:0x2b0000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Start time:17:27:01
                        Start date:26/12/2021
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 864
                        Imagebase:0x2b0000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Disassembly

                        Code Analysis

                        Reset < >