Windows Analysis Report
BiU282bjyR.exe

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.638122231.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BiU282bjyR.exe PID: 7076, type: MEMORYSTR

Source: BiU282bjyR.exe

Avira: detected

Antivirus detection for URL or domain

Source: 212.23.211.238

Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00433255 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

0_2_00433255

Source: BiU282bjyR.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BiU282bjyR.exe PID: 7076, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00407424 _wcslen,CoGetObject,

0_2_00407424

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Unpacked PE file: 0.2.BiU282bjyR.exe.400000.0.unpack

Source: BiU282bjyR.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040917A __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0040917A
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040C1C2 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040C1C2
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0044E289 FindFirstFileExA,	0_2_0044E289
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0041958A FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_0041958A
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040958C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0040958C
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00407763 FindFirstFileW,FindNextFileW,	0_2_00407763
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00408733 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_00408733
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040B9A5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B9A5
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040BBAC FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040BBAC
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0041BD26 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041BD26

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00407BBE SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407BBE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.3:49725 -> 212.23.211.238:27009
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 212.23.211.238:27009 -> 192.168.2.3:49725

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 212.23.211.238

Source: Joe Sandbox View

ASN Name: TMRDE TMRDE

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: global traffic

TCP traffic: 192.168.2.3:49725 -> 212.23.211.238:27009

Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.23.211.238

Source: BiU282bjyR.exe, 00000000.00000003.384506320.0000000000816000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.000000000081B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/j
Source: BiU282bjyR.exe, BiU282bjyR.exe, 00000000.00000003.384506320.0000000000816000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000003.384506320.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.0000000000803000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.0000000000806000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638196781.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: BiU282bjyR.exe, 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: BiU282bjyR.exe, 00000000.00000003.384506320.0000000000816000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638196781.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp:8&:
Source: BiU282bjyR.exe, 00000000.00000002.638122231.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpI
Source: BiU282bjyR.exe, 00000000.00000003.384506320.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.0000000000806000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpn.net/json.gpps
Source: BiU282bjyR.exe, 00000000.00000003.384506320.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpxx
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net

Source: unknown

DNS traffic detected: queries for: geoplugin.net

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00404B96 WaitForSingleObject,SetEvent,recv,

0_2_00404B96

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_004164D7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004164D7

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_004164D7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004164D7

Source: BiU282bjyR.exe, 00000000.00000002.638122231.00000000007AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

memstr_eddbfe6b-6

Source: Yara match

File source: Process Memory Space: BiU282bjyR.exe PID: 7076, type: MEMORYSTR

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0040A307 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

0_2_0040A307

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_004164D7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_004164D7

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.638122231.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BiU282bjyR.exe PID: 7076, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0041C477 SystemParametersInfoW,

0_2_0041C477

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: Process Memory Space: BiU282bjyR.exe PID: 7076, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: BiU282bjyR.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: Process Memory Space: BiU282bjyR.exe PID: 7076, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 840

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_004163CA ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_004163CA

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00438180	0_2_00438180
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00433364	0_2_00433364
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0043730E	0_2_0043730E
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0044D3D9	0_2_0044D3D9
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00427464	0_2_00427464
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_004275CD	0_2_004275CD
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0041D580	0_2_0041D580
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00437743	0_2_00437743
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0043D85D	0_2_0043D85D
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0043587B	0_2_0043587B
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0042682C	0_2_0042682C
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_004369FA	0_2_004369FA
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0043DA8C	0_2_0043DA8C
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00413AA0	0_2_00413AA0
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00453B69	0_2_00453B69
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00437B78	0_2_00437B78
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0041EB18	0_2_0041EB18
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00445BE0	0_2_00445BE0
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0043DCBB	0_2_0043DCBB
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00452D3B	0_2_00452D3B
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00426DBB	0_2_00426DBB
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00436EF6	0_2_00436EF6
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0043DF18	0_2_0043DF18

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: String function: 0043418E appears 41 times
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: String function: 00401E65 appears 32 times
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: String function: 00434800 appears 54 times

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0041B5CA OpenProcess,NtResumeProcess,CloseHandle,		0_2_0041B5CA
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0041B59E OpenProcess,NtSuspendProcess,CloseHandle,		0_2_0041B59E

Source: BiU282bjyR.exe, 00000000.00000000.363460155.0000000000460000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.exe* vs BiU282bjyR.exe
Source: BiU282bjyR.exe	Binary or memory string: OriginalFilename7z.exe* vs BiU282bjyR.exe

Source: BiU282bjyR.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\BiU282bjyR.exe C:\Users\user\Desktop\BiU282bjyR.exe
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 840
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 844
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 888
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 892
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 884
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 844
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 1052
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 1220
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 912
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 1252
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 912
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 1416

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_004173E7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_004173E7

Source: C:\Users\user\Desktop\BiU282bjyR.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\json[1].json

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB618.tmp

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@13/38@1/2

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0041A4DF OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041A4DF

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0040F27D GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0040F27D

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7076
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Mutant created: \Sessions\1\BaseNamedObjects\EGiy6hf-YWJYTZ

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0041AF3D FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_0041AF3D

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: Software\	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: EGiy6hf-YWJYTZ	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: Exe	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: Exe	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: EGiy6hf-YWJYTZ	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: Inj	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: Inj	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: exepath	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: exepath	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: licence	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: L=G	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: X2}	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: 8CG	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: Administrator	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: User	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: del	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: del	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: del	0_2_0040E7CE
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Command line argument: .mE	0_2_00456C80

Source: C:\Users\user\Desktop\BiU282bjyR.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\BiU282bjyR.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: BiU282bjyR.exe

Static file information: File size 1232384 > 1048576

Data Obfuscation

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Unpacked PE file: 0.2.BiU282bjyR.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Unpacked PE file: 0.2.BiU282bjyR.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R;

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00457438 push eax; ret	0_2_00457456
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0045D53D push esi; ret	0_2_0045D546
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00434846 push ecx; ret	0_2_00434859
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00456B16 push ecx; ret	0_2_00456B29

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0041C5E5 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041C5E5

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00406DD7 ShellExecuteW,URLDownloadToFileW,

0_2_00406DD7

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0041A4DF OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041A4DF

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (91).png

Source: C:\Users\user\Desktop\BiU282bjyR.exe

0_2_0041C5E5

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0040F5B0 Sleep,ExitProcess,

0_2_0040F5B0

Source: C:\Users\user\Desktop\BiU282bjyR.exe TID: 7112

Thread sleep time: -78000s >= -30000s

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

0_2_0041A1DD

Source: C:\Users\user\Desktop\BiU282bjyR.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040917A __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0040917A
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040C1C2 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040C1C2
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0044E289 FindFirstFileExA,	0_2_0044E289
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0041958A FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_0041958A
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040958C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0040958C
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00407763 FindFirstFileW,FindNextFileW,	0_2_00407763
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00408733 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_00408733
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040B9A5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040B9A5
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0040BBAC FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040BBAC
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0041BD26 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041BD26

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00407BBE SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407BBE

Source: C:\Users\user\Desktop\BiU282bjyR.exe

API call chain: ExitProcess graph end node

graph_0-48589

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: BiU282bjyR.exe, 00000000.00000003.384506320.000000000082A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWa Connection* 8
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: BiU282bjyR.exe, 00000000.00000003.384506320.000000000082A000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638196781.000000000083D000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00434417 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00434417

Source: C:\Users\user\Desktop\BiU282bjyR.exe

0_2_0041C5E5

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0044F55D GetProcessHeap,

0_2_0044F55D

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00442C95 mov eax, dword ptr fs:[00000030h]

0_2_00442C95

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Memory protected: page read and write | page execute read | page execute and read and write | page execute and write copy | page guard

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00434565 SetUnhandledExceptionFilter,	0_2_00434565
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_00434417 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00434417
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_0043B4E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043B4E6
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: 0_2_004349CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004349CC

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

0_2_00411F00

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_004190BC mouse_event,

0_2_004190BC

Source: BiU282bjyR.exe, 00000000.00000002.638122231.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: BiU282bjyR.exe, 00000000.00000002.638122231.0000000000803000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638196781.000000000082A000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.00000000007E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452020
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: GetLocaleInfoW,	0_2_004482FC
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: GetLocaleInfoA,	0_2_0040F6DA
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_004516E8
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: EnumSystemLocalesW,	0_2_00451960
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: EnumSystemLocalesW,	0_2_004519AB
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: EnumSystemLocalesW,	0_2_00451A46
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00451AD3
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: GetLocaleInfoW,	0_2_00451D23
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: EnumSystemLocalesW,	0_2_00447DF4
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00451E4C
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: GetLocaleInfoW,	0_2_00451F53

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00434643 cpuid

0_2_00434643

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,

0_2_00404F51

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_00448B9F _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00448B9F

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: 0_2_0041B0A2 GetComputerNameExW,GetUserNameW,

0_2_0041B0A2

Source: Amcache.hve.3.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information

Contains functionality to steal Firefox passwords or cookies

Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.638122231.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BiU282bjyR.exe PID: 7076, type: MEMORYSTR

Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		0_2_0040B9A5
Source: C:\Users\user\Desktop\BiU282bjyR.exe	Code function: \key3.db		0_2_0040B9A5

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

0_2_0040B887

Remote Access Functionality

Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.2970204.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BiU282bjyR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.638122231.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BiU282bjyR.exe PID: 7076, type: MEMORYSTR

Source: C:\Users\user\Desktop\BiU282bjyR.exe

Code function: cmd.exe

0_2_0040569A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Bypass User Access Control	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	12 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	12 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Defacement
Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Windows Service	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	12 Clipboard Data	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	12 Process Injection	2 Software Packing	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Bypass User Access Control	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	12 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Masquerading	Cached Domain Credentials	41 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 Remote System Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BiU282bjyR.exe	55%	ReversingLabs	Win32.Backdoor.Remcos
BiU282bjyR.exe	100%	Avira	BDS/Remcos.cgljq

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://geoplugin.net/j	0%	URL Reputation	safe
http://geoplugin.net/json.gpI	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpn.net/json.gpps	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gp:8&:	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpxx	0%	Avira URL Cloud	safe
212.23.211.238	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
212.23.211.238	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://geoplugin.net/json.gp:8&:	BiU282bjyR.exe, 00000000.00000003.384506320.0000000000816000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638196781.0000000000823000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp/C	BiU282bjyR.exe, 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpI	BiU282bjyR.exe, 00000000.00000002.638122231.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpxx	BiU282bjyR.exe, 00000000.00000003.384506320.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpn.net/json.gpps	BiU282bjyR.exe, 00000000.00000003.384506320.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.0000000000806000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/j	BiU282bjyR.exe, 00000000.00000003.384506320.0000000000816000.00000004.00000020.00020000.00000000.sdmp, BiU282bjyR.exe, 00000000.00000002.638122231.000000000081B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.23.211.238	unknown	unknown		12329	TMRDE	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1301172
Start date and time:	2023-08-31 17:56:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	BiU282bjyR.exe
Original Sample Name:	111355b58d38248c4f0d96a509ca44e5.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@13/38@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 36.8% (good quality ratio 35%) Quality average: 81.8% Quality standard deviation: 25.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 30 Number of non-executed functions: 213
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, eudb.ris.api.iris.microsoft.com, tse1.mm.bing.net, displaycatalog.mp.microsoft.com, g.bing.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: BiU282bjyR.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	xcT2F1D2owcd.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.W32.ModiLoader.WG.tr.22779.8690.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	HSBC_TT_PAYMENT_INVOICE_201.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Gfbeynjyz.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Win32.DropperX-gen.25669.16625.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.W32.ModiLoader.WG.tr.2843.17060.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	DxqQQ2WfeF.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	Factura_con_IVA.doc	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Win32.DropperX-gen.32114.5392.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Trojan.PackedNET.738.32297.32442.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.FileRepMalware.18185.9184.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SecuriteInfo.com.Win32.KeyloggerX-gen.21639.22575.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	file.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	dl1mXQH1HM.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	BOQ-Al Gurg Automation Project.exe	Get hash	malicious	DBatLoader, Remcos	Browse	geoplugin.net/json.gp
	BOQ-Al Gurg Automation Project.exe	Get hash	malicious	DBatLoader, Remcos	Browse	geoplugin.net/json.gp
	Scanned_by_Xerox_B230_Printer.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	HUGHED234ED.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Dieselmotorers.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	Iawyncsnbpsnnl.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	xcT2F1D2owcd.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.W32.ModiLoader.WG.tr.22779.8690.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	HSBC_TT_PAYMENT_INVOICE_201.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Gfbeynjyz.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.DropperX-gen.25669.16625.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	SecuriteInfo.com.W32.ModiLoader.WG.tr.2843.17060.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	DxqQQ2WfeF.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	Factura_con_IVA.doc	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	SecuriteInfo.com.Win32.DropperX-gen.32114.5392.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	SecuriteInfo.com.Trojan.PackedNET.738.32297.32442.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.FileRepMalware.18185.9184.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.KeyloggerX-gen.21639.22575.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	file.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	dl1mXQH1HM.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	BOQ-Al Gurg Automation Project.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	BOQ-Al Gurg Automation Project.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	Scanned_by_Xerox_B230_Printer.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	HUGHED234ED.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Dieselmotorers.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	Pago_Banco_Estado__Swift_copy.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TMRDE	https://ipfs.io/ipfs/QmdTwDBzfv7vcTnw34YZhB4VroSotz2NY5Hc5FzzQX8qxQ#rramis@isciii.es	Get hash	malicious	HTMLPhisher	Browse	212.23.144.169
	wx7x7YkSI8.elf	Get hash	malicious	Unknown	Browse	185.249.170.212
	2DLd2J82an.elf	Get hash	malicious	Mirai	Browse	212.23.154.151
	5vFyCZCGL7.elf	Get hash	malicious	Unknown	Browse	212.23.212.254
	Remittance_ACH_20220630.HTML	Get hash	malicious	Unknown	Browse	212.23.201.50
	JIzNxwvQm7.dll	Get hash	malicious	Wannacry	Browse	212.23.152.51
	9YQ4q9wIEn.dll	Get hash	malicious	Wannacry	Browse	62.221.232.243
	4EYEHNO35o.exe	Get hash	malicious	Unknown	Browse	212.23.202.95
	jJZlHQhj5F.exe	Get hash	malicious	Unknown	Browse	212.23.202.95
	Factura0522.lnk	Get hash	malicious	Unknown	Browse	212.23.221.7
	ZhtkM8Dmjw	Get hash	malicious	Mirai	Browse	185.245.176.163
	vYwp8FNhH1	Get hash	malicious	Mirai	Browse	185.245.176.192
	VUpggVyNKX	Get hash	malicious	Mirai	Browse	185.245.176.185
	arm5	Get hash	malicious	Mirai Moobot	Browse	185.11.56.21
ATOM86-ASATOM86NL	xcT2F1D2owcd.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.W32.ModiLoader.WG.tr.22779.8690.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	HSBC_TT_PAYMENT_INVOICE_201.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Gfbeynjyz.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.DropperX-gen.25669.16625.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	SecuriteInfo.com.W32.ModiLoader.WG.tr.2843.17060.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	DxqQQ2WfeF.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	Factura_con_IVA.doc	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	SecuriteInfo.com.Win32.DropperX-gen.32114.5392.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	SecuriteInfo.com.Trojan.PackedNET.738.32297.32442.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.FileRepMalware.18185.9184.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SecuriteInfo.com.Win32.KeyloggerX-gen.21639.22575.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	UE3kTijL0W.elf	Get hash	malicious	Mirai	Browse	85.222.236.214
	file.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	dl1mXQH1HM.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	BOQ-Al Gurg Automation Project.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	BOQ-Al Gurg Automation Project.exe	Get hash	malicious	DBatLoader, Remcos	Browse	178.237.33.50
	Scanned_by_Xerox_B230_Printer.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	HUGHED234ED.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Dieselmotorers.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_26a9884a3c30f62bb8e6294baa1f19bcd7e31a18_f1f9b96f_1895da59\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0408464911485655
Encrypted:	false
SSDEEP:	192:zj6LHJsAnbcAvjljA4dKwf/u7sUS274ItZ:zj6rJsAnbcAvj//u7sUX4ItZ
MD5:	B32D3AD91DF17460286D5E5DC51D5D58
SHA1:	0521E27702D58CBF2CD393B5C59D3E49974AA977
SHA-256:	98DE4925F169074B3CAB6FD426D016404340475DFA497ABC50CF630E33C7E527
SHA-512:	A4E0CB7993A3E039C18E00A5EF1782FB9032EFABDB1505866E7FFCC0CD76B756E9C25F65A91877E82F2A29750AD410C35A2F79B48C3770CBFBD91CA3B63F5A8C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.9.3.6.7.0.5.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.3.e.5.c.1.8.6.-.f.0.2.0.-.4.0.7.0.-.a.a.f.d.-.7.f.d.0.4.b.2.1.7.f.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.9.2.7.0.0.8.-.f.7.3.c.-.4.8.6.9.-.9.d.8.b.-.5.b.d.2.4.b.d.b.f.8.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_26a9884a3c30f62bb8e6294baa1f19bcd7e31a18_f1f9b96f_1a9dc9a0\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9724948957607432
Encrypted:	false
SSDEEP:	192:I63HJsAnbcAvjljA4dK+/u7sUS274ItZ:I6XJsAnbcAvjT/u7sUX4ItZ
MD5:	9D2D93D0981636CE089D473E91E0BBBC
SHA1:	F5E530F7E8BF3A7A3DEDAC73DBBCC8AFBF61D266
SHA-256:	789E0907C537C7A3560DC4F977EB6E0BCB7F90EA3F8CBE4A1A2480C94BECAB3D
SHA-512:	02E17522F3F32EAD1DC87DC4469D3A2C830766F2738A6614913E55E1708CF0134AF088CBA71E1C7B465DFA8630C038F7F412621B70396764D754F06853827BCC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.5.1.1.8.0.0.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.4.4.6.2.2.5.-.b.4.b.7.-.4.0.4.b.-.a.3.3.1.-.9.7.9.3.4.e.3.2.1.1.c.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.3.f.b.b.e.8.-.3.b.b.8.-.4.a.2.d.-.a.2.d.d.-.4.7.d.9.7.7.d.0.4.4.a.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_26a9884a3c30f62bb8e6294baa1f19bcd7e31a18_f1f9b96f_1be1fd81\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0411022259407012
Encrypted:	false
SSDEEP:	192:pRB6WHJsAnbcAvjljA4dKwf/u7sUS274ItZ:pRB6OJsAnbcAvj//u7sUX4ItZ
MD5:	3709A3E7CEA50FEBDECEAACAF85E47A3
SHA1:	F2715AF9D8F943AF8C4C7A6EAA734E3E57E145EB
SHA-256:	B95DF703E3940AD7CD6A25AFB23868B0F1F8BC523E06B8DBA12B8F2749BA802F
SHA-512:	999291EBF2114726E37A3325B50D1E119BBBE19A8C67C683DAACB95B9A778433F5D54FF6F85A995BD912A066CCDD0B4868CEC562EB813CC0DD351BD73C64F780
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.3.8.3.6.1.7.9.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.2.8.9.d.f.f.-.6.3.f.6.-.4.1.6.b.-.8.9.7.1.-.5.6.c.9.1.3.8.9.2.b.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.6.6.6.6.1.a.-.5.8.1.4.-.4.1.d.7.-.8.f.d.0.-.5.5.b.f.0.8.6.d.b.1.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_0465d170\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9882257921749451
Encrypted:	false
SSDEEP:	96:rz0t3K8QQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMbJ3R:vq60H56rAjljA4dKD/u7sUS274ItZ
MD5:	4A30BC7CA1BD57669E45B66F275D1469
SHA1:	3EA5ABC22A0A8FE536C9FC768183C4239CDEAB7C
SHA-256:	6DB876FDEF2737D83DFE69C84D79E6EE81F4001E8BE1D8305F3E1AB8EE975291
SHA-512:	4BCAC0591B3FB106BBF3DE8E4C5764198AC152C08448C1E8B1C11C7CD43D5F40D52E68CA22F30D56F88EC67E8411BA54FA65ADAE79C4154B376B00B0E0D04BB0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.7.1.3.0.1.9.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.6.2.8.4.7.7.-.5.8.7.e.-.4.8.d.c.-.9.a.b.4.-.a.1.8.5.a.f.5.3.2.b.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.d.1.8.9.e.b.-.e.6.f.b.-.4.4.0.f.-.8.e.4.2.-.5.3.8.b.5.a.4.f.7.5.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_1449cd59\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.973254441666543
Encrypted:	false
SSDEEP:	96:GyY3KqQQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMbJ3V8:G6iH56rAjljA4dK+/u7sUS274ItZ
MD5:	DCF8F52B2D0C35D5E83B249F8BD2DB1C
SHA1:	EDEAA196578D822CB418387DCC909AB0F2710251
SHA-256:	1940B97650E6A95AD6293E7A3C44D35009141E5B291FFB444F0C7FFDF8C3315D
SHA-512:	138A18A8CC67FADC75B1595C7D5288288BC850D39CF6F7ED99817930812141DE4F2CE328055FCEEB66C72CD2BE235FFE54C13EC444C6E698EDE17433A08C5423
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.6.0.9.7.4.2.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.b.6.4.7.0.9.-.8.6.1.8.-.4.c.d.5.-.a.c.7.9.-.0.0.f.0.1.9.f.6.7.a.b.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.7.9.d.6.a.8.-.1.6.a.6.-.4.5.0.1.-.b.b.9.2.-.9.9.a.0.9.6.a.e.9.6.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_15026e5c\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0409830531237236
Encrypted:	false
SSDEEP:	96:d2V3KrQQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMbJ3Vd:sV6DH56rAjljA4dKwf/u7shS274ItZ
MD5:	EC68CD86FCEB94B00149D47C0FF142A4
SHA1:	B05BDB5D3E5458E24037F7CA7648256ACAF38DBF
SHA-256:	35E546DCD29E6B43A5D1201BEFA04A342D3C4D316140EF6B4D1D1ECD5475E759
SHA-512:	B0FBB2C0D2BA5ED7E6D2A4E65D3B6D0E7801C4B06131F9004F9D71B706107660198218AC345167DA37DF7892A34C56A17CD20D8C19FD87DE5BDAE47B21629CB3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.6.7.2.3.9.8.3.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.5.6.e.5.8.f.-.0.2.5.b.-.4.9.3.a.-.a.b.1.1.-.6.0.4.b.a.4.1.a.9.2.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.7.1.d.2.8.9.-.b.e.e.4.-.4.c.8.9.-.8.8.1.1.-.3.4.7.b.2.d.0.c.0.4.1.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_155dc56a\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9730535345994372
Encrypted:	false
SSDEEP:	96:w1+dyg3K0QQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMba:Lv6cH56rAjljA4dK+/u7sUS274ItZ
MD5:	423585B85D386B6B58254747D86C738D
SHA1:	2D18EEE3ADEC25DEEDF53619276D901B9AE87CA8
SHA-256:	B369BF62E1C9E25C16D5407F58A2D78516EE9982857530EF7B07D8E8C4E655E7
SHA-512:	3099AE6E3A1543709C4CA953112B8F186181484F43DF042DCD0A0F69B565377645EE2C9B129FB6B75AB8D82F977C695DEDDA78FD2DCA24E157791D769FDA12F0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.4.0.5.7.0.9.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.9.d.c.5.7.1.d.-.1.9.6.0.-.4.d.a.3.-.a.1.7.c.-.7.7.7.2.b.b.e.d.5.6.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.3.a.2.0.0.1.-.b.e.5.9.-.4.0.6.c.-.b.9.c.6.-.b.3.7.1.8.d.5.b.5.4.2.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_1839b925\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9664404178141631
Encrypted:	false
SSDEEP:	96:hVHn3KFQQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMbJ3w:76tH56rAjljA4dKq/u7sUS274ItZ
MD5:	AC4C69FB07726DBF9B22B66BFD6ED7EE
SHA1:	C29089613EA0F99933A6CF1F429611F44E8A00D8
SHA-256:	E2CE24CE52526293FC35233AB2689E6AF7A57EF6EE3E5C1772D2C95D54FB1EFB
SHA-512:	4F19D9C17C915DC9612B97388A26B2CB6231ECA07DB9621ED136F0D6ACFBDE8CECD487DBAD15832C9FB51863A5D617C992882E67ECE9FF3BE92A0E6050FF918B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.0.7.3.0.4.5.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.b.5.d.d.b.8.-.c.6.2.f.-.4.9.5.d.-.8.d.3.1.-.8.a.2.7.b.9.a.6.6.0.c.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.3.a.b.1.4.9.-.0.c.e.7.-.4.0.5.1.-.9.a.b.6.-.9.8.f.9.1.9.f.d.0.5.5.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_1931bdb9\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9728387864880165
Encrypted:	false
SSDEEP:	96:Idu3KFQQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMbJ3VZ:qu6tH56rAjljA4dK+/u7sUS274ItZa
MD5:	BD194BC6F1F941D084EFC749FC030866
SHA1:	75778A1ACDB7290C54D34E985933FD61D4721D3E
SHA-256:	4058CC0A2F53174C4E17D5D9353A9E81E26BA176FED85E4E2ACFAA573F9E169C
SHA-512:	7E5C94F2E3C3E931B0FF298E995F6386C32BCFF2D0104DD3C1F2D52FB06EB14148E71B1B34AEE95AD9F0063BD16A754235F9C8B3BC6598E5A4CBE52102B7E7B4
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.1.9.7.4.7.6.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.1.3.e.a.f.3.-.8.9.c.8.-.4.d.4.d.-.9.9.b.6.-.f.0.d.3.4.b.3.5.5.6.8.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.e.6.a.2.a.9.-.e.5.8.f.-.4.e.6.d.-.9.d.c.0.-.0.b.d.9.9.c.f.1.2.d.3.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_198dc1a1\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9728844622931021
Encrypted:	false
SSDEEP:	96:xiHTU3KvQQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMbJ0:yTU6HH56rAjljA4dK+/u7sUS274ItZ
MD5:	089D47D01F594DE3DC663C5890A10D3A
SHA1:	349B5411DED45DCCB6DDE457DFB0DA3BC21627E6
SHA-256:	9532EE809957CE5FF9D73D8AA2A22CEB03A265A2A8D9A28A345D771CC7501994
SHA-512:	E4817974A40AA86BFA795931759A8675C68DB1676335F51C2DE3667A30A2B7362C80158E05D1BA82006CF151ADA27EA72382D2D011CC43E7ABA00E1424D94164
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.3.0.5.4.9.0.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.9.b.9.0.8.c.-.f.3.2.4.-.4.0.1.e.-.9.d.4.6.-.7.8.6.9.4.9.0.c.5.8.7.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.b.8.9.e.f.2.-.d.1.7.3.-.4.9.7.e.-.a.9.a.1.-.9.4.e.5.c.6.a.b.a.8.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_1ac1f95b\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0409955897368826
Encrypted:	false
SSDEEP:	96:NO3KqQQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMbJ3Vi/:w6iH56rAjljA4dKwf/u7sUS274ItZ
MD5:	8B3E63B0D754DFD59623E286CD3F5D30
SHA1:	38B746AD22715F13451C4F2B59B1308C36072F49
SHA-256:	2C2127E731C22BD32609DC0B89AE1B1356B0B252DA250934A52426F5BCEFCBBD
SHA-512:	53BFD169F14C4F35F18F63279D9286FED8B452D9E3F81B3AD38DF64C5BA7323B20D6F92D46FC8FF2024685FB0130A0ACFD5FE5A6C67A03063607C9509D06DA39
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.3.7.2.4.2.5.9.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.b.6.a.6.9.3.-.f.f.e.9.-.4.b.8.b.-.9.6.d.e.-.1.d.f.7.d.6.0.7.1.4.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.0.0.0.8.8.f.-.6.b.c.1.-.4.8.4.6.-.8.3.f.5.-.6.7.b.1.2.0.4.e.d.4.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BiU282bjyR.exe_cfbc60d3a5cdb1aa613b9b15d702be238d3e28_f1f9b96f_1b19d597\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9982143020900487
Encrypted:	false
SSDEEP:	96:7Wykj3KoQQ2oA7Jf6TpXIQcQnc6rCcEhcw3rr+HbHg/8BRTf3jFa9iVfNsGIMbJK:Y6AH56rAjljA4dKwt/u7sUS274ItZ
MD5:	FC64834B007D2F3D129E1223B1604F45
SHA1:	639C21B2C0E0465D4D2F4291FB25D7EF2607D7CC
SHA-256:	E9519C850A6A9811E01C90A0B8DCF8A841AB136757CEC1CA19E75FAE2F222CC5
SHA-512:	043FD52B2079DD6FACC9A167B72B45B3A758F6617F10D0E3782C196412E418535796248212DC788A85FEB16A71B2D88E3401660A61E4569666DE8040EE2562FD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.7.9.7.1.0.2.8.1.4.2.2.1.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.c.2.8.4.f.c.-.0.f.0.8.-.4.5.2.3.-.b.6.2.2.-.7.8.b.c.4.4.4.d.2.8.a.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.6.a.5.d.d.f.-.b.8.0.d.-.4.3.3.6.-.b.8.2.6.-.2.5.3.9.5.3.c.2.d.c.9.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.i.U.2.8.2.b.j.y.R...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.7.z...e.x.e.*.....P.r.o.d.u.c.t.N.a.m.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.4.-.0.0.0.1.-.0.0.2.7.-.c.8.8.3.-.2.d.c.6.2.3.d.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.f.4.c.7.e.7.3.6.0.7.1.3.7.f.8.b.2.d.e.9.a.3.5.1.7.b.9.7.3.b.0.0.0.0.0.9.0.4.!.0.0.0.0.2.4.c.5.d.3.1.5.9.a.f.9.d.9.9.2.a.0.a.2.6.3.6.8.c.f.6.5.b.a.3.1.3.f.3.e.8.b.e.4.!.B.i.U.2.8.2.b.j.y.R...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.5./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BBC.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:47 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	114020
Entropy (8bit):	1.9183136063528408
Encrypted:	false
SSDEEP:	384:0B+8UWCePq59hH9vGhIDOGViiLN7TAn9IoURAOdq:XePq59xlGaLNuIoUOc
MD5:	B4F1B6F0C7E7915820A33CA1FA2E1414
SHA1:	ECB5C10A236CC5CF18A02BB00BCDF46FB059EC21
SHA-256:	23059374B5C0D13E9F4DCDC5653564D9071A9E38510F436C5FE64C32734A03AD
SHA-512:	30B03CC4BBCFB20ADAEFD8506E4115C5ACC0A4049963D3E0A9463278A3C4203FD82031FDEF128B609DEF59EC851E3AE3C7FE139C7CD7E951FBFA2E9B82487F66
Malicious:	false
Preview:	MDMP....... .......{..d............t.......................$...p"..........HS..........`.......8...........T...........p6.............."...........$...................................................................U...........B.......%......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D53.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.7045276474387876
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqx6p16YyTSU6Tt0gmf/S8+pBT89bennsf+Km:RrlsNiE6r6YWSU6Tegmf/SmensfK
MD5:	9435851457F547009EC15521226D4407
SHA1:	2FBC4564F49BE002605D68E3A2C3D82DEC5B135A
SHA-256:	4C339C7F9C9595231FA40033A66DF06F694A7D62B1FEDDDBC4822EB1742FAFB1
SHA-512:	20CDADC3E65DE07FAFB474C7791914BC33B0ACE1AF41A5996FC286DE8F8EB4A60A84C75D82B11539B86CB8450F5B097E9038403CFC3F546A7E3C6E0F133B87E8
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB618.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:01 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	78368
Entropy (8bit):	1.9828529422283836
Encrypted:	false
SSDEEP:	192:BOd9PYQN/E8J8Oexz608K/yxX32R4LOP2dUfnkIJSXcXPXJxajoIKPaExK2PTIsQ:4RE8Jzeb83M5wJVZ6LlCUBGkRlWj
MD5:	A65B1CD605FAC6EAA5C43E4F4319D920
SHA1:	ECA3788CF2D89984803060F83DBE632E3D9B681B
SHA-256:	E46B85CF2E017EF8080955A288C493B56968277EDCA6960BFF6C3A5D659319FF
SHA-512:	68600DF8F8FE57E791D009140B4CBADC5612CF5C634BFBA6D2B1D5B8C2B1495568F906CF783D6100A161A961824A09E000C87EF2F189B19EC320E105DE6A3FCD
Malicious:	false
Preview:	MDMP....... .......M..d........................D...........$...........t...h>..........`.......8...........T...........X!...............................................................................................U...........B..............GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7DE.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.70644284584113
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqu6Ch6YybSUfmhEgmf/S8+pBO89bMnnsfpEm:RrlsNiz6k6Y+SUfeEgmf/SlMnsf/
MD5:	8B1C6CC74C3A1C74358B57053707AEAB
SHA1:	6E5353EF8063B271C85AC7AD1652613B200DDDB2
SHA-256:	D8948CD3A7CCD30899443A4C330E76DBCF962A9CBB44E536CEAC3B78A587984B
SHA-512:	A0F512E139B775C368FB917312C340C9D94573D9C08742207B776D51248F8037C48ED58F395B3F500786BECC553799D07ECCEA635B351DD132E4EC5C7BADB1FE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBAEA.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:02 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	88618
Entropy (8bit):	1.891544517065939
Encrypted:	false
SSDEEP:	192:yL+kAc4APJTMDAOexzFyJDQK/yxXePhw0x8/XU732R4LOP2dUfnkIJSXcXPXJxa8:eJTMDXejoCQwnNTcViSLN38ckwOk
MD5:	6701F8758CEAEC799499D42BB9D868E7
SHA1:	06BB7809849175F697652F315023EA097C5E5975
SHA-256:	197180ADE423E427A504DD42978427458E5985C816415B51C3CE452C2E1855A7
SHA-512:	A162E81AF5EAF65B82BF44DD5520F09A2F889ACEA7969D24AE36DC7377C8E6C72A2D6BF6A491C6662C0758535C4AB6B20AA7BF35E0759C640F4E2D13A830DF79
Malicious:	false
Preview:	MDMP....... .......N..d....................................$................D..........`.......8...........T............"...7...........................................................................................U...........B......P ......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC34.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.7044137630669476
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqf6m6YygSUfmhEgmf/S8+pBM89bHnnsf0Jtm:RrlsNii6m6Y1SUfeEgmf/SbHnsf3
MD5:	2205EFD18C6B815A183ED8DDBD59D895
SHA1:	F811469D52F016B7D0E315E08A8C0EDAAC4418F2
SHA-256:	0211DBE0FAD2D72DD6B83A6C8462C3CB55216B4BBDD0070478FE493A6D8609BC
SHA-512:	BE73556031E89C91DBFDB0C6145AA020CA7C9ACCC06945B7B0CCC5E4058573ADD98F69361055EA5F29ADF6B0D82DA234A4C2D13620DC5608B80837B07C3CD745
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF21.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:03 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	87778
Entropy (8bit):	1.9084216852620846
Encrypted:	false
SSDEEP:	192:PGPc4APJTMNsBoOexzFxxK/yxXePhw0x8/XU732R4LOP2dUfnkIJSXcXPXJxajou:hJTMSBvejoILFT7OyNOViSLNSTvYse0i
MD5:	354372549D67CB104430BEC511DD4A4A
SHA1:	3E49B7B1F8E8F89E8843F0B919A31FD99CA4FFEC
SHA-256:	66BAA6AFA670F802BBCA5F030D8689CB319669376243593B7445218F8C90FB87
SHA-512:	FFF438B769BD2DEDBEC30545B6DA0334C5A362ECEFC04FE70C960645DA24E825B513468F861FAA8C053CEDF39223741CF04C5B8FCEF48E96425035D8C8249F77
Malicious:	false
Preview:	MDMP....... .......O..d....................................$................D..........`.......8...........T............"..J4...........................................................................................U...........B......P ......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC04A.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.705346833284827
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqf6kI6Yy0SUfmhEgmf/S8+pBT89b+nnsfbjqm:RrlsNiC6kI6YBSUfeEgmf/Sm+nsfbv
MD5:	EFE05B527247E94C1E760F28F226B712
SHA1:	4796A2688E6ED5ED88076330FAD00E10DC2BCDA8
SHA-256:	2873C1106130C7E304069F013D6B91B5EE7F4DB686B0B3147D8915294000DDD9
SHA-512:	089D9F316A139C8311249AF81DF9F2E529DA61EAE15B13AD28B30BFB7E98D52FD4393220CB3C05C9B5C59B2FAB7E59A1AC02C4EF7F5129EEED68C403E52B8647
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC318.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:04 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	93648
Entropy (8bit):	1.8831032145015207
Encrypted:	false
SSDEEP:	384:Sa54bteGzo6rX/gGjViSLNbMV3i5ViF15mcuXCWfEsQ:0eGzjX/rLNuWfEL
MD5:	468700A3FA4D49728906EE9626C392C3
SHA1:	D21B302F033AADD50C141D1A6142DA65613BF88E
SHA-256:	F6065B31E4811D99F215845CDA965B4BCA9E687730F9B8D9D7C1C8E635D3705A
SHA-512:	4BCC2EDC7D867298C6537EE5A4DD9394EFE4E1C4ED658BBC9CE9CFA03D5590CE5B7AE552DE3B0F9747F8334B997F51BFA52C78B6BD38C05B62729A9FB88FF504
Malicious:	false
Preview:	MDMP....... .......P..d............................(.......$................G..........`.......8...........T...........`#..pJ...........................................................................................U...........B....... ......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC442.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.7030271274777906
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqo6dp6YyQSUfmhCiGgmf/S8+pBT89bxnnsfYR7m:RrlsNiV6z6YFSUfeOgmf/SmxnsfF
MD5:	58C076FA680E3F74C1C977CA52ACE39A
SHA1:	06EE543369E2E3220B362DDBB54F56E99E3C768F
SHA-256:	637EA571EF692AFFE376A7270352E5540F82FE3EDCC43AB42616256C0BF2BA86
SHA-512:	708FAEFB0FC4132DDEBAA567AAF73F767CD158424166FC0F36CD8E19A54027A92DC0E52616DCDE064CABB1058B15F9B7F230DC4863089DBD07188B70DF90AD07
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC72F.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:05 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	102310
Entropy (8bit):	1.9059104126606683
Encrypted:	false
SSDEEP:	384:QJp4xfeWLu+olTE1JbsJMCViSLNznXwXKqCm:QueWK+yEfBeLNMXH
MD5:	C2DEA386B72C787670565957A8280CD0
SHA1:	C68AC9EBAF8900EC2AB1FAE8CAD931EBB51C353E
SHA-256:	4473B6F6DA0593A59F48DCF197C29F74513FEBBA1E67BB1751121D59463D205E
SHA-512:	D8EBEE5F51B4D951E4F25CC3D7E732DAA292421CFFEB47BCE4051AB54F3EEDB74301EA7AD30DD399478EB025ED876ACAC457A90F54EE002D97AB5BF2BD47AC6B
Malicious:	false
Preview:	MDMP....... .......Q..d............D...............X.......$...........4....J..........`.......8...........T............&...i..........,............ ...................................................................U...........B....... ......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC888.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7032874302459597
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiq36Om6YycSUfmWgmfvSFAjAK+pB+89bonnsfp4m:RrlsNi66Om6YpSUfHgmfvSFAjAjonsfT
MD5:	30A4A9D0ACB5F823A04CD83D95C115AD
SHA1:	A4DF67AFCF943CCA8A5CCDED637833276F18B53E
SHA-256:	186838449F331A99736E2026407C7C152A4DCDB8E51F722A3D2DE755A974909A
SHA-512:	774B144AD22896585D5B15D6FFD6FD9331929E25637AE9D4A1B09D873D8B44CA129351B005813164230BB93390E1B6BF2C056DABEB3E2408A2456754699DBCD5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB17.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:06 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	96792
Entropy (8bit):	1.927102615991072
Encrypted:	false
SSDEEP:	384:DO54YvejUyu+oqfNJbDlCViSLNYsY59uurjRvZKRB:D0ejUz+rHZeLNgjJ8B
MD5:	EE4FD10706490F9F2682CF51B5C523E8
SHA1:	79EF3AEA3875745DD408FB761832A30A807385EA
SHA-256:	B0260FBF33804BA53D6C3D0CF45ECD7E92BF56F8A932CC4B5233D980A61F9D3F
SHA-512:	44EE7EC8322625ECB233805ED1104AFB25F0D5E176645A86532C1C6D474BDB4C70E849C25286FE97F336D31095F567A603BB3FAF6944EA0B2B9734BCC980586F
Malicious:	false
Preview:	MDMP....... .......R..d............................(.......$...........D....G..........`.......8...........T............%..`T...........................................................................................U...........B....... ......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC31.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.7042963845410117
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqG6a6YyiSUSmhUrgmf/S8+pBy89bjnnsfKhm:RrlsNib6a6Y3SUSeAgmf/SpjnsfV
MD5:	128DCD6D11F41A0B824C751387A0905D
SHA1:	24ABC7B06E8AFC34169901156D4F7A632BB22F9F
SHA-256:	91D3939969FB4DDF80DE26F9938A84D0F9FA875C3485A430232770156871C2AC
SHA-512:	427BA01539C1BB632C62C726F45E21564815AC2105234C296BAA7DFE7BCCD07281652EE0C1A2C9438FFB7C957C36BB8EC7705D8DA8F25DEF59142D42AC8635AD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF0F.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:07 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	105846
Entropy (8bit):	1.9271813100119046
Encrypted:	false
SSDEEP:	384:PKsBSeCG/E1sciUmpASMmUo7APN+FWViSLNHdS53V/7O1LiFse:yer+/iUOA4sNAaLN6V/7OdiFs
MD5:	92FDD427DD05136238AAC62202009E7F
SHA1:	FD2CE6B9F6F7A606A57226E860F655D29ECE293A
SHA-256:	88A7A49D330190284FDF59A6FE8F921FDA1D4D2975C16164B0E05E2FA315AFA4
SHA-512:	ED523A48B41EEE9D08425C1B56B2BF8BC476C0B16704BA545FEE7798A0D940F6844CDFF2DA6208C6FD53953732E8DE94052D5AF72428C89CA7368B1F6631B0EB
Malicious:	false
Preview:	MDMP....... .......S..d............D...............X.......$...........4....L..........`.......8...........T............)...s....................... ...................................................................U...........B.......!......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD067.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.7045589887070745
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiq+6k6YyUSUbbfSgmf/S8+pBt89bMbnnsf3Kyjm:RrlsNiD6k6YBSUbbagmf/SoMbnsfH6
MD5:	E5FC229AF4ACAC016157A8CE34EE87CA
SHA1:	F811E62269A47E24FAF688D68A5A811D544796F3
SHA-256:	B56222A664E3849E55C3B169568489E1B3EF0E0EE33DB5A9F1D425701106A1B8
SHA-512:	F3EA029C4D28743C82E0E601F1E001BCB1BEE58EE3BF0B3FFD3428A3CB7EAFB0EA311F48CFD42A7C795B0B23E8D1555D4357A05F609D1EFED63A0CDFF196FCCD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD306.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:08 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	117106
Entropy (8bit):	1.9945228666868058
Encrypted:	false
SSDEEP:	384:dJLYwwvseGh/r9h9Mm0r3T07YJo7CFWhpSLNbeK2Y4MiZ5bsx:AvseeTbXY3M0o7sXLNh4MiD
MD5:	3C296B81085DF0B4C9349F743AC7B4BB
SHA1:	E0FA8E031369C542BFC685F6BAF236C86C89AF8D
SHA-256:	E0339C47042C9E966EEDF467DB0C2A7BD83701E01826B8FE8A87521B4823574B
SHA-512:	A046BF7168E334A04567FEAC5CA08F0ABFA1667434E7FE328EA65D1530E6E4E56810F3829E71E5B3D68B73B7EF38191B60D6C9A768AE6AC500034F2B91DAD820
Malicious:	false
Preview:	MDMP....... .......T..d............t...........`...........$...........d....P..........`.......8...........T............1............... ...........!...................................................................U...........B......."......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD47E.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.7039124343330307
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiq/6X+1u56YycSUbbEDgmf/S8+pBp89bdnnsf9fm:RrlsNiC6yu56YZSUbbIgmf/Skdnsfo
MD5:	CDC384320680A001CD98B7E11E4CE7ED
SHA1:	0D8D7D36DAF075AAAE32A1D8A41B643B5FB14BD7
SHA-256:	4BD3DB7267A807AB7A9621C4A34F4EE5A06714E5E90C1064265A02B10850ADCE
SHA-512:	EBB573711BDD45C0159C15D3E0F91FA2979EE9EC3FEC1AAF6624A22542C6A51C3713FBAD0D3BFDE36B4CCEA068BEED2622C730F5694D4AFAEE858D3D5A8DB854
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7C9.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:09 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	113434
Entropy (8bit):	1.9540187805125897
Encrypted:	false
SSDEEP:	384:qB+8jgePFHQho9/t9T7d6F6ViiLN2Ejuut2ag2EtDa:ZePFHQ+5t9T6eLNz2t6
MD5:	51CB853AF4BF8A9AFB31438D58CDF18A
SHA1:	AFD8CE8F4EF79DBDB27986A83E4C853570AB48FA
SHA-256:	0B96434E66EF50E67558F8497A06619108AACF80B5C8ED71A20CA9EA49D2C58E
SHA-512:	B80DF4854AFB069FB840135F7465EA172AF5270549E58AC7781832BD31E8C292240AAEBDC5094C4736DA5B07EC489FA60BFCE347E55F8063FBBB085FE93261C5
Malicious:	false
Preview:	MDMP....... .......U..d............t.......................$...p"..........HS..........`.......8...........T...........H6.............."...........$...................................................................U...........B.......%......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD951.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.703004005884765
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqjV6S0O6YyUSUbbEDgmfvSFAjAK+pBT89bUnnsfEcm:RrlsNiMV646YRSUbbIgmfvSFAjAQUns+
MD5:	FA167F86617ABCB41272953EC7CBC956
SHA1:	997A45E280375B1023DBD11F9EC2730BD78BE895
SHA-256:	A801DCE280D7F87F097C1D3A3F7C371229CD9D02311B2DF563764D3E870012B2
SHA-512:	635D8CA59A2275324104A8796B9AE0E84FFBD106D791F4BC33599538F86DB849ACE0D2C9D9EED87634B9ED0FF0C9260F1222643BA582B3149E2A5018C0CB371F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF68C.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:17 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	113922
Entropy (8bit):	1.942333682334088
Encrypted:	false
SSDEEP:	384:YB+8OSePqCV9hV9LjWxmiDOGViiLNGtImozFLFKXU:kePqE9DJjW3LNTmozxZ
MD5:	DE5ACDDBF54CD23430BBAE24A232D56D
SHA1:	6DD4967F5B12283FAEAAD52829637B08FCD0F74D
SHA-256:	842B5D9DBF304EE33C89C02F4CDE96A6427C43CC50D1D900FB3E1AD19FED7715
SHA-512:	6BFD737AA2A07B9B1365BA8FDCE15FD9E12CD01212C1F6EE9CB534DE8CE1EAD621C7D133FB4BABE7FAAE6397726FEA2D81CFD0BF3DD3352EA36B57F8E3613C59
Malicious:	false
Preview:	MDMP....... .......]..d............t.......................$...p"..........HS..........`.......8...........T...........H6..............."...........$...................................................................U...........B.......%......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF823.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.7055723943567798
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqQ6mM6YywSUCZhgmf/S8+pBH89b7nnsfNpm:RrlsNil696Y1SUCfgmf/Sa7nsfK
MD5:	A021F5B7435F694CED8C615BD289515E
SHA1:	D3FB152BB470E0C6E976B5E634E81F32FA9BF572
SHA-256:	018F8F58E6F98E8AEA94171F3D37A894020912A9FA19F6469EBDD0E8A316777C
SHA-512:	E6797EC46073C196CA8835FC08706D61352BD6EF63981905111AD1FD3F39E4CB4FC7DAB3395BDE3FD1003E24D011AF0AD729E76B21C472C32C949CA11252B390
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAF1.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Aug 31 15:57:18 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	113472
Entropy (8bit):	1.9624533226525045
Encrypted:	false
SSDEEP:	384:VB+8E6WePEBh693djAAOFSViiLNXNKL6AGMEzdlTu1+:qePEBsVdymLNQLbGRzdFK
MD5:	65F47A2D56859E2D864C6407E5FCE41A
SHA1:	5228E2A9B8CC13946B2E4E688D298488EA157695
SHA-256:	EA3493B8424C4FFE7FCAC03037EFDBCD517B581097AE1745E161DFAD493F4BF4
SHA-512:	00AA4DD4F721D5CBC367F625411BA0D0204369348161FA3C9AD83E9E30F39A991BD0A050E4AD4C45A0E980B43827A1E2A0115626C79C82BB6C1F246258DA3A9E
Malicious:	false
Preview:	MDMP....... .......^..d............t.......................$...p"..........HS..........`.......8...........T...........p6.............."...........$...................................................................U...........B.......%......GenuineIntelW...........T...........K..d.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC69.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.705493125943907
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiqx6jsL6YydSUrJmbgmfvSFAjAK+pBT89bcnnsf/R40m:RrlsNik6U6Y4SUrJCgmfvSFAjAQcnsfA
MD5:	7257F91D93259367548063E3CF22E48A
SHA1:	5BD1F16616925594C7D3565176BA0B740B98EF3C
SHA-256:	517AC1552D6BBD186278CA3DB72382EBF2EDCDF7822F2D8140EC8770B8EE6893
SHA-512:	A416B710F1147173174A8C8E76499DB56F186E2E32C9B58CC6C350EE9E04D10CDFD4CD29162E06AC6A5B8204B2DF57CBA2E0858CA8231D93A89D9A9387FE67B9
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.6.<./.P.i.d.>.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\json[1].json

Process:	C:\Users\user\Desktop\BiU282bjyR.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.994779790316133
Encrypted:	false
SSDEEP:	12:tklJnd6UGkMyGWKyMPVGADxapaiH8GdAPORkoao9W7im51w799CFF6RjSat5Rt8L:qlNdVauKyM85266m7PCeCLn
MD5:	3A320A00C6ECC1BAE20C00A66631696F
SHA1:	C1797318B9169D374D70A97761768713584AF528
SHA-256:	79BD6579B5A4EBCBBC8BDB27E5C070B062477F0F043239DF518348DC2986759E
SHA-512:	D004EBD672E5F4C8362A7A79784760E92BE9F6F2AE1254CAD496F70D628B0A936B44CBCFCD41C1B0505208F21893D41BED6B986067149FB17A6AEE248A2D7BEB
Malicious:	false
Preview:	{. "geoplugin_request":"84.17.52.42",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Zurich",. "geoplugin_region":"Zurich",. "geoplugin_regionCode":"ZH",. "geoplugin_regionName":"Zurich",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"",. "geoplugin_countryCode":"CH",. "geoplugin_countryName":"Switzerland",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"EU",. "geoplugin_continentName":"Europe",. "geoplugin_latitude":"47.3682",. "geoplugin_longitude":"8.5671",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"Europe\/Zurich",. "geoplugin_currencyCode":"CHF",. "geoplugin_currencySymbol":"CHF",. "geoplugin_currencySymbol_UTF8":"CHF",. "geoplugin_currencyConverter":0.8786.}

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.374466102074607
Encrypted:	false
SSDEEP:	12288:CocTQC4Lh9c+g1Ep7cMZK8yrWzte7y/5rmZrmQ0ithr7+i+invToDdE+:NcTQC4Lh9c+g1EEgq
MD5:	51D5A989C723876E75FAE5D58BCF2AEC
SHA1:	EDED1FC7811166B58E6C9DBDFD269A9AC076471C
SHA-256:	CC2FD3C46EDBC75FDC7325F5FD0FBD6149A0417702060AB956047C7C5E0AAB28
SHA-512:	26239063461B279EB09376833235B1C81879C6AAB884C27AB704853FFF83796CFB56AC54A66E4B1785C563C8CAFA39D0DD28070DB9D20C375078A985EA8F3D10
Malicious:	false
Preview:	regf........p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm>...#...............................................................................................................................................................................................................................................................................................................................................]...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7387450605764565
TrID:	Win32 Executable (generic) a (10002005/4) 91.23% Win32 Executable Borland Delphi 7 (665061/41) 6.07% Win32 Executable Borland Delphi 6 (262906/60) 2.40% Win32 Executable Delphi generic (14689/80) 0.13% Windows Screen Saver (13104/52) 0.12%
File name:	BiU282bjyR.exe
File size:	1'232'384 bytes
MD5:	111355b58d38248c4f0d96a509ca44e5
SHA1:	24c5d3159af9d992a0a26368cf65ba313f3e8be4
SHA256:	c67621749a60aa3546fbfb190a151ad3339d2a96a89e83491acb396709e9cb22
SHA512:	8b7f934593d6c74f90debec2f1b8c9320c266cf1c3f93bae3df6cc417103edadd2f48b1d61a3f31853b3c06b3f1562719c2297a63a4f84d20ac4b80581834e57
SSDEEP:	24576:H/LsqswSUjWPTu1ipkwqqVn8EvDC5Gk2D9f:HYLHPAiT8EGc
TLSH:	7B458C93F380147FF1A6C63BAC8E7BFD94A16F4D190A08412EB42F48FF6D641699474A
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	953a5a92e9ccf429

Static PE Info

General

Entrypoint:	0x458058
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ab49388f1a819498b47a540e48d11f55

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00457DE0h
call 00007F9268B3F5A1h
mov eax, dword ptr [0045A854h]
mov eax, dword ptr [eax]
call 00007F9268B89BEDh
mov ecx, dword ptr [0045A890h]
mov eax, dword ptr [0045A854h]
mov eax, dword ptr [eax]
mov edx, dword ptr [004578F8h]
call 00007F9268B89BEDh
mov eax, dword ptr [0045A854h]
mov eax, dword ptr [eax]
call 00007F9268B89C61h
call 00007F9268B3D2FCh
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5c000	0x1fcc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x67000	0xcb200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0x6604	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5f000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x570a0	0x57200	False	0.5289886343256814	data	6.538459274263289	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x59000	0x1a3c	0x1c00	False	0.4321986607142857	data	4.382612796170792	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x5b000	0xe25	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5c000	0x1fcc	0x2000	False	0.3729248046875	data	5.024694654459872	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5e000	0x40	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5f000	0x18	0x200	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x60000	0x6604	0x6800	False	0.6121544471153846	data	6.640910104811994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x67000	0xcb200	0xcb200	False	0.5847091346153847	data	6.517210786725181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
F34RT13T	0x67d24	0x9dbfc	data	English	United States	0.6533444764292569
RT_CURSOR	0x105920	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0x105a54	0x134	data			0.4642857142857143
RT_CURSOR	0x105b88	0x134	data			0.4805194805194805
RT_CURSOR	0x105cbc	0x134	data			0.38311688311688313
RT_CURSOR	0x105df0	0x134	data			0.36038961038961037
RT_CURSOR	0x105f24	0x134	data			0.4090909090909091
RT_CURSOR	0x106058	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_BITMAP	0x10618c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x10635c	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x106540	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x106710	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x1068e0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x106ab0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x106c80	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x106e50	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x107020	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x1071f0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x1073c0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_ICON	0x1074a8	0x904d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9977531739801305
RT_ICON	0x1104f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.12377262510351354
RT_ICON	0x120d20	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 0	English	United States	0.18160813308687615
RT_ICON	0x1261a8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States	0.1615493623051488
RT_ICON	0x12a3d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.2245850622406639
RT_ICON	0x12c978	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.25
RT_ICON	0x12da20	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.364344262295082
RT_ICON	0x12e3a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.4166666666666667
RT_DIALOG	0x12e810	0x52	data			0.7682926829268293
RT_STRING	0x12e864	0x2b4	data			0.42485549132947975
RT_STRING	0x12eb18	0x3b4	data			0.34282700421940926
RT_STRING	0x12eecc	0x348	data			0.40595238095238095
RT_STRING	0x12f214	0x1f0	data			0.4213709677419355
RT_STRING	0x12f404	0x1c0	data			0.44419642857142855
RT_STRING	0x12f5c4	0xdc	data			0.6
RT_STRING	0x12f6a0	0x2f4	data			0.4497354497354497
RT_STRING	0x12f994	0xdc	data			0.5863636363636363
RT_STRING	0x12fa70	0x10c	data			0.5746268656716418
RT_STRING	0x12fb7c	0x33c	data			0.4311594202898551
RT_STRING	0x12feb8	0x3cc	data			0.37448559670781895
RT_STRING	0x130284	0x370	data			0.3931818181818182
RT_STRING	0x1305f4	0x42c	data			0.36891385767790263
RT_STRING	0x130a20	0x114	data			0.5
RT_STRING	0x130b34	0xe4	data			0.5482456140350878
RT_STRING	0x130c18	0x24c	data			0.477891156462585
RT_STRING	0x130e64	0x4a4	data			0.29208754208754206
RT_STRING	0x131308	0x358	data			0.4158878504672897
RT_STRING	0x131660	0x2b4	data			0.4060693641618497
RT_RCDATA	0x131914	0x10	data			1.5
RT_RCDATA	0x131924	0x354	data			0.6913145539906104
RT_RCDATA	0x131c78	0x108	Delphi compiled form 'Thorlqrq'			0.8068181818181818
RT_GROUP_CURSOR	0x131d80	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x131d94	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x131da8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x131dbc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x131dd0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x131de4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x131df8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x131e0c	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x131e84	0x2a4	data	English	United States	0.4940828402366864

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPolyFillMode, GetPixelFormat, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3212.23.211.23849725270092032776 08/31/23-17:57:02.741057	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49725	27009	192.168.2.3	212.23.211.238
212.23.211.238192.168.2.327009497252032777 08/31/23-17:57:02.818401	TCP	2032777	ET TROJAN Remcos 3.x Unencrypted Server Response	27009	49725	212.23.211.238	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2023 17:57:02.718616009 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:02.738822937 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:02.739058018 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:02.741056919 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:02.811446905 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:02.818401098 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:02.870146036 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:02.890023947 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:02.932617903 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:04.859107018 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:04.929227114 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:10.039567947 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:57:10.065515995 CEST	80	49726	178.237.33.50	192.168.2.3
Aug 31, 2023 17:57:10.065665960 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:57:10.065952063 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:57:10.095884085 CEST	80	49726	178.237.33.50	192.168.2.3
Aug 31, 2023 17:57:10.096029043 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:57:10.148854971 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:10.218312979 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:11.095581055 CEST	80	49726	178.237.33.50	192.168.2.3
Aug 31, 2023 17:57:11.095705986 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:57:17.995325089 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:18.043266058 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:19.139785051 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:19.209798098 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:47.996212006 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:57:48.045866013 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:49.099760056 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:57:49.169913054 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:58:17.997649908 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:58:18.048418045 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:58:18.550288916 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:58:18.620901108 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:58:48.000139952 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:58:48.051615000 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:58:48.450874090 CEST	49725	27009	192.168.2.3	212.23.211.238
Aug 31, 2023 17:58:48.520229101 CEST	27009	49725	212.23.211.238	192.168.2.3
Aug 31, 2023 17:58:58.943857908 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:58:59.255769014 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:58:59.864965916 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:59:01.068270922 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:59:03.474745989 CEST	49726	80	192.168.2.3	178.237.33.50
Aug 31, 2023 17:59:08.287559032 CEST	49726	80	192.168.2.3	178.237.33.50

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2023 17:57:10.009466887 CEST	56452	53	192.168.2.3	8.8.8.8
Aug 31, 2023 17:57:10.030405998 CEST	53	56452	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 31, 2023 17:57:10.009466887 CEST	192.168.2.3	8.8.8.8	0x4e09	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 31, 2023 17:57:10.030405998 CEST	8.8.8.8	192.168.2.3	0x4e09	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49726	178.237.33.50	80	C:\Users\user\Desktop\BiU282bjyR.exe

Timestamp	kBytes transferred	Direction	Data
Aug 31, 2023 17:57:10.065952063 CEST	2	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Aug 31, 2023 17:57:10.095884085 CEST	3	IN	HTTP/1.1 200 OK date: Thu, 31 Aug 2023 15:57:10 GMT server: Apache/2.4.52 (Ubuntu) content-length: 945 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 34 2e 31 37 2e 35 32 2e 34 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 5a 75 72 69 63 68 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 5a 48 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 45 55 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 45 75 72 6f 70 65 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 34 37 2e 33 36 38 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 38 2e 35 36 37 31 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 5c 2f 5a 75 72 69 63 68 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 2e 38 37 38 36 0a 7d Data Ascii: { "geoplugin_request":"84.17.52.42", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Zurich", "geoplugin_region":"Zurich", "geoplugin_regionCode":"ZH", "geoplugin_regionName":"Zurich", "geoplugin_areaCode":"", "geoplugin_dmaCode":"", "geoplugin_countryCode":"CH", "geoplugin_countryName":"Switzerland", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"EU", "geoplugin_continentName":"Europe", "geoplugin_latitude":"47.3682", "geoplugin_longitude":"8.5671", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"Europe\/Zurich", "geoplugin_currencyCode":"CHF", "geoplugin_currencySymbol":"CHF", "geoplugin_currencySymbol_UTF8":"CHF", "geoplugin_currencyConverter":0.8786}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: BiU282bjyR.exePID: 7076, Parent PID: 3524

General

Target ID:	0
Start time:	17:56:59
Start date:	31/08/2023
Path:	C:\Users\user\Desktop\BiU282bjyR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\BiU282bjyR.exe
Imagebase:	0x400000
File size:	1'232'384 bytes
MD5 hash:	111355B58D38248C4F0D96A509CA44E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.638122231.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.638302980.0000000002970000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.638058832.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Chronological Activities

Analysis Process: WerFault.exePID: 6148, Parent PID: 7076

General

Target ID:	3
Start time:	17:57:00
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 840
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 6412, Parent PID: 7076

General

Target ID:	5
Start time:	17:57:01
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 844
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 6576, Parent PID: 7076

General

Target ID:	7
Start time:	17:57:02
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 888
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 5472, Parent PID: 7076

General

Target ID:	9
Start time:	17:57:03
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 892
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 6816, Parent PID: 7076

General

Target ID:	11
Start time:	17:57:04
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 884
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 5236, Parent PID: 7076

General

Target ID:	13
Start time:	17:57:05
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 844
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 1112, Parent PID: 7076

General

Target ID:	15
Start time:	17:57:06
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 1052
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 6948, Parent PID: 7076

General

Target ID:	17
Start time:	17:57:07
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 1220
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 6312, Parent PID: 7076

General

Target ID:	19
Start time:	17:57:09
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 912
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 6908, Parent PID: 7076

General

Target ID:	23
Start time:	17:57:17
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 1252
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 7132, Parent PID: 7076

General

Target ID:	25
Start time:	17:57:18
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 912
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Chronological Activities

Analysis Process: WerFault.exePID: 5436, Parent PID: 7076

General

Target ID:	38
Start time:	17:57:47
Start date:	31/08/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 1416
Imagebase:	0x1060000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true