Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
o7m2se.dll

Overview

General Information

Sample Name:o7m2se.dll
Analysis ID:659464
MD5:cc9f20deaa66ffd5b96b727c2454e141
SHA1:3b90678ff567417851e8c9953effeda2969abc4d
SHA256:e6c6ad0411501c2d81863c0ecaf80ace8a5e9b6ce8329c5700890eb36991f6fb
Tags:exe
Infos:

Detection

BumbleBee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected BumbleBee
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contain functionality to detect virtual machines
Searches for specific processes (likely to inject)
C2 URLs / IPs found in malware configuration
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Launches processes in debugging mode, may be used to hinder debugging
Found large amount of non-executed APIs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 6540 cmdline: loaddll64.exe "C:\Users\user\Desktop\o7m2se.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 6552 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6572 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • WerFault.exe (PID: 6752 cmdline: C:\Windows\system32\WerFault.exe -u -p 6572 -s 324 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6560 cmdline: rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KInMQF MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 6744 cmdline: C:\Windows\system32\WerFault.exe -u -p 6560 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6796 cmdline: rundll32.exe C:\Users\user\Desktop\o7m2se.dll,KwNqBn2l9N MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 6880 cmdline: C:\Windows\system32\WerFault.exe -u -p 6796 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 6960 cmdline: rundll32.exe C:\Users\user\Desktop\o7m2se.dll,LLBMPMUsqf MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KInMQF MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 4448 cmdline: C:\Windows\system32\WerFault.exe -u -p 7064 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 7072 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",KwNqBn2l9N MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 3488 cmdline: C:\Windows\system32\WerFault.exe -u -p 7072 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
      • WerFault.exe (PID: 6824 cmdline: C:\Windows\system32\WerFault.exe -u -p 7072 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 7096 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",LLBMPMUsqf MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 7140 cmdline: rundll32.exe "C:\Users\user\Desktop\o7m2se.dll",SrNF6Da MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 1596 cmdline: C:\Windows\system32\WerFault.exe -u -p 7140 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
      • WerFault.exe (PID: 6332 cmdline: C:\Windows\system32\WerFault.exe -u -p 7140 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup
{"C2 url": ["146.19.173.184:443", "41.15.71.157:274", "66.9.9.138:154", "36.201.196.202:367", "173.200.61.240:100", "116.241.116.41:410", "242.232.106.206:162", "10.195.46.61:489", "249.112.226.98:243", "130.242.219.205:423", "154.56.0.113:443", "179.5.59.188:228", "217.246.42.10:346", "169.197.227.201:474", "231.228.102.246:186", "185.165.82.120:182", "74.230.15.244:376", "94.88.121.46:403", "120.181.249.142:177", "138.141.158.45:217", "128.79.29.175:298", "104.168.200.192:443", "196.168.84.24:372", "143.27.231.233:335", "133.99.126.202:263", "222.202.140.206:438", "117.172.191.115:471", "158.208.5.127:269", "218.155.13.204:130", "219.110.187.248:435", "209.244.102.105:112", "23.19.58.212:443", "4.177.13.86:289", "204.223.28.129:424", "246.134.183.74:364", "165.132.190.127:368", "89.159.155.176:455", "185.69.113.39:124", "47.26.53.19:195", "41.70.42.112:452", "74.219.241.225:481", "66.15.189.146:122", "28.23.200.103:366", "159.248.192.111:424", "170.88.0.154:120", "79.196.23.192:106", "146.70.106.76:443", "249.57.205.117:166", "62.82.188.190:234", "221.131.148.148:357", "206.245.228.10:133", "51.68.146.186:443", "118.89.112.82:338", "116.205.234.96:247", "205.160.222.15:274", "191.190.49.225:191"], "RC4 Key": "iKInPE9WrB"}
SourceRuleDescriptionAuthorStrings
00000013.00000002.549903895.00000285C8050000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
    0000000E.00000002.546822241.0000021520580000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
      SourceRuleDescriptionAuthorStrings
      19.2.rundll32.exe.285c8050000.2.raw.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
        14.2.rundll32.exe.21520580000.3.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
          19.2.rundll32.exe.285c8050000.2.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
            14.2.rundll32.exe.21520580000.3.raw.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 117.172.191.115:471Avira URL Cloud: Label: malware
              Source: 23.19.58.212:443Avira URL Cloud: Label: malware
              Source: 169.197.227.201:474Avira URL Cloud: Label: malware
              Source: 36.201.196.202:367Avira URL Cloud: Label: malware
              Source: 89.159.155.176:455Avira URL Cloud: Label: malware
              Source: 74.230.15.244:376Avira URL Cloud: Label: malware
              Source: 154.56.0.113:443Avira URL Cloud: Label: malware
              Source: 28.23.200.103:366Avira URL Cloud: Label: malware
              Source: 4.177.13.86:289Avira URL Cloud: Label: malware
              Source: 116.241.116.41:410Avira URL Cloud: Label: malware
              Source: 66.15.189.146:122Avira URL Cloud: Label: malware
              Source: 104.168.200.192:443Avira URL Cloud: Label: malware
              Source: 133.99.126.202:263Avira URL Cloud: Label: malware
              Source: 196.168.84.24:372Avira URL Cloud: Label: malware
              Source: 222.202.140.206:438Avira URL Cloud: Label: malware
              Source: 204.223.28.129:424Avira URL Cloud: Label: malware
              Source: 41.70.42.112:452Avira URL Cloud: Label: malware
              Source: 74.219.241.225:481Avira URL Cloud: Label: malware
              Source: 221.131.148.148:357Avira URL Cloud: Label: malware
              Source: 143.27.231.233:335Avira URL Cloud: Label: malware
              Source: 128.79.29.175:298Avira URL Cloud: Label: malware
              Source: 170.88.0.154:120Avira URL Cloud: Label: malware
              Source: 206.245.228.10:133Avira URL Cloud: Label: malware
              Source: 130.242.219.205:423Avira URL Cloud: Label: malware
              Source: 218.155.13.204:130Avira URL Cloud: Label: malware
              Source: 185.69.113.39:124Avira URL Cloud: Label: malware
              Source: 205.160.222.15:274Avira URL Cloud: Label: malware
              Source: 165.132.190.127:368Avira URL Cloud: Label: malware
              Source: 120.181.249.142:177Avira URL Cloud: Label: malware
              Source: 116.205.234.96:247Avira URL Cloud: Label: malware
              Source: 209.244.102.105:112Avira URL Cloud: Label: malware
              Source: 173.200.61.240:100Avira URL Cloud: Label: malware
              Source: 159.248.192.111:424Avira URL Cloud: Label: malware
              Source: 94.88.121.46:403Avira URL Cloud: Label: malware
              Source: 217.246.42.10:346Avira URL Cloud: Label: malware
              Source: 118.89.112.82:338Avira URL Cloud: Label: malware
              Source: 219.110.187.248:435Avira URL Cloud: Label: malware
              Source: 146.19.173.184:443Avira URL Cloud: Label: malware
              Source: 79.196.23.192:106Avira URL Cloud: Label: malware
              Source: 23.19.58.212:443Virustotal: Detection: 8%Perma Link
              Source: 19.2.rundll32.exe.285c8050000.2.raw.unpackMalware Configuration Extractor: BumbleBee {"C2 url": ["146.19.173.184:443", "41.15.71.157:274", "66.9.9.138:154", "36.201.196.202:367", "173.200.61.240:100", "116.241.116.41:410", "242.232.106.206:162", "10.195.46.61:489", "249.112.226.98:243", "130.242.219.205:423", "154.56.0.113:443", "179.5.59.188:228", "217.246.42.10:346", "169.197.227.201:474", "231.228.102.246:186", "185.165.82.120:182", "74.230.15.244:376", "94.88.121.46:403", "120.181.249.142:177", "138.141.158.45:217", "128.79.29.175:298", "104.168.200.192:443", "196.168.84.24:372", "143.27.231.233:335", "133.99.126.202:263", "222.202.140.206:438", "117.172.191.115:471", "158.208.5.127:269", "218.155.13.204:130", "219.110.187.248:435", "209.244.102.105:112", "23.19.58.212:443", "4.177.13.86:289", "204.223.28.129:424", "246.134.183.74:364", "165.132.190.127:368", "89.159.155.176:455", "185.69.113.39:124", "47.26.53.19:195", "41.70.42.112:452", "74.219.241.225:481", "66.15.189.146:122", "28.23.200.103:366", "159.248.192.111:424", "170.88.0.154:120", "79.196.23.192:106", "146.70.106.76:443", "249.57.205.117:166", "62.82.188.190:234", "221.131.148.148:357", "206.245.228.10:133", "51.68.146.186:443", "118.89.112.82:338", "116.205.234.96:247", "205.160.222.15:274", "191.190.49.225:191"], "RC4 Key": "iKInPE9WrB"}
              Source: Binary string: UxTheme.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 32.pdb source: WerFault.exe, 00000019.00000003.523380302.000001F5F180D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: kernelbase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: combase.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: win32u.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msctf.pdb source: WerFault.exe, 00000017.00000003.521546390.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522351148.000001CE21217000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521967763.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522361320.0000018686D87000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524163906.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524067138.000001F5F3FB7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdbj source: WerFault.exe, 00000018.00000002.540677805.0000018684311000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdb& source: WerFault.exe, 00000018.00000002.540677805.0000018684311000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32full.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: .pdb' source: WerFault.exe, 00000019.00000002.540787106.000001F5F17F2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: gdi32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.522255145.000001CE21214000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522302209.0000018686D84000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524155590.000001F5F3FB4000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: user32.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000017.00000003.522242157.000001CE21210000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.522247900.0000018686D80000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524143635.000001F5F3FB0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rundll32.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: imagehlp.pdb8 source: WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows32.pdb' source: WerFault.exe, 00000019.00000003.523380302.000001F5F180D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ntdll.pdb source: WerFault.exe, 00000017.00000003.511558759.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.514011681.000001CE2070A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000017.00000003.521314444.000001CE21211000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.516424452.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.514612330.00000186861AA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000018.00000003.521955608.0000018686D81000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.524051068.000001F5F3FB1000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.516159154.000001F5F353A000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000019.00000003.512599113.000001F5F353A000.00000