Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9VYSw7MFa8.dll

Overview

General Information

Sample name:9VYSw7MFa8.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41.exe
Analysis ID:1503244
MD5:57439e19c45bc847f6d62825c1008108
SHA1:c58285c72a5d658f3e4de6c0704fd65eb4a4e298
SHA256:e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41
Tags:exeWikiLoader
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3916 cmdline: loaddll64.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3664 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 2188 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 1216 cmdline: C:\Windows\system32\WerFault.exe -u -p 2188 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 4952 cmdline: rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseAddsProperty@physx@@QEAA@XZ MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 2632 cmdline: C:\Windows\system32\WerFault.exe -u -p 4952 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 3704 cmdline: rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZ MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 616 cmdline: C:\Windows\system32\WerFault.exe -u -p 3704 -s 320 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 6684 cmdline: rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbCCDPairsProperty@physx@@QEAA@XZ MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 3804 cmdline: C:\Windows\system32\WerFault.exe -u -p 6684 -s 316 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 3352 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbBroadPhaseAddsProperty@physx@@QEAA@XZ MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 6432 cmdline: C:\Windows\system32\WerFault.exe -u -p 3352 -s 316 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 6872 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZ MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 5608 cmdline: C:\Windows\system32\WerFault.exe -u -p 6872 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 6880 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbCCDPairsProperty@physx@@QEAA@XZ MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 2244 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxUnregisterPhysicsSerializers MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7308 cmdline: C:\Windows\system32\WerFault.exe -u -p 2244 -s 316 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 5692 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxSetPhysXDelayLoadHook MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3184 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterUnifiedHeightFields MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1216 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterPhysicsSerializers MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7192 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterParticles MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7232 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterHeightFields MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7260 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterCloth MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7300 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterArticulations MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7320 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxGetValue MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7392 cmdline: rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxGetPhysicsBinaryMetaData MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 9VYSw7MFa8.dllReversingLabs: Detection: 45%
Source: 9VYSw7MFa8.dllVirustotal: Detection: 57%Perma Link
Source: unknownHTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.6:62029 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.6:62028 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.6:62031 version: TLS 1.2
Source: 9VYSw7MFa8.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: d:\p4\sw\physx\PhysXSDK\3.3\RELEASE\3.3.0\bin\win64\PhysX3_x64.pdb source: loaddll64.exe, 00000000.00000002.3466662537.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2272545924.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2272824549.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2290740379.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2326070126.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2364834966.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2365312601.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2322066492.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2361235145.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2334228697.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.2349023947.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.2341019266.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.2333893498.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2330646380.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.2338004255.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, 9VYSw7MFa8.dll
Source: Joe Sandbox ViewIP Address: 20.189.173.20 20.189.173.20
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.20
Source: unknownHTTP traffic detected: POST /Telemetry.Request HTTP/1.1Connection: Keep-AliveUser-Agent: MSDWMSA_DeviceTicket: t=EwC4AlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAQyg8H+MiVJLWrz+37vl39K3viEE+QDKimjcn5yLEy4neGbfIfqJH0L5JXwDH173Eklccd6rQLc5NLe/Zj++1xo74v7b29oAO13UrUtkRs27T7MPgx5+N3pXEdwLsB/dHlO51aRroIbnvneeqDvlSSCo19HGSqAjrd5T2VDUZb3AmrbEaP4kKJn81eyAhLCc5I4EpyQA2UPY5kCkd8bJVTSMBFujLLRR1E2RDeaZMrdKGn1X+HIuSDU3thmQ2DgbXIAh6fXgoBsRXsGcLIvJuqSM1ADckPUJsjelgSxbHpfNQRhW5DX+K2yd07bqUTGoJnfNkLl3yPT9730z7Xz4tMcQZgAAEEF8SyVBPtK4Enw+/lVLF1CAAV/VJjPV/T0EBHUIWTQp/xjhje+5wq9ETN1PMITyThMf8dYvy7VAv2bw7mUAkXsgFDma3MHZJP0aUHnBEyEL9Ul0+XyaivVId2/AfsWKtPQHdM2th/yLCgNkox++RanqsbyXMJaDNuQBwS2gNHgit5sAjt5vcZPbF4urLShEV0p/RUcrxn9j2vD5T6MQJTpHcrCeqRwjLfEllSVD40c4CppuBxlzFZ77XZxT2qZ0OCH8P54AlxdMpkshSwCy9TA+0BDgQaVw2jMd+QOXEXP3BzcrnQgS0sesR/oqNmmu0WtdP8EuKWPjoIpdvGI2bH0SyUAHTmrQiXzCUH25WpAFD3NaDmvHd05VmLe6xw4i4GWYHYbhi+oStpBO7Um0Pv0UPx0kmKIjOqz4avMQsdbq0eD6m8i4L4jER07YWpXOkL9c+uc5yzjwI7L+c+qS658foNjfiX71dYcfWBnVO2aXSLXtRfcjwB9vBS1ODknjFxag7mIOWs3DAXsr/BxHjRnfurUB&p=Content-Length: 4758Host: umwatson.events.data.microsoft.com
Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 62029 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62028 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62031 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62031
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62029
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62028
Source: unknownHTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.6:62029 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.6:62028 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.189.173.20:443 -> 192.168.2.6:62031 version: TLS 1.2
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2188 -s 324
Source: 9VYSw7MFa8.dllBinary or memory string: OriginalFilenamePhysX3_x64.dll, vs 9VYSw7MFa8.dll
Source: classification engineClassification label: mal48.winDLL@81/28@0/1
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6684
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3704
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3352
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2188
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6872
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2244
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4952
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d6a4bdec-6793-49a9-8c37-0703fea32f1fJump to behavior
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseAddsProperty@physx@@QEAA@XZ
Source: 9VYSw7MFa8.dllReversingLabs: Detection: 45%
Source: 9VYSw7MFa8.dllVirustotal: Detection: 57%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseAddsProperty@physx@@QEAA@XZ
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2188 -s 324
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4952 -s 324
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZ
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3704 -s 320
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbCCDPairsProperty@physx@@QEAA@XZ
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6684 -s 316
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbBroadPhaseAddsProperty@physx@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbCCDPairsProperty@physx@@QEAA@XZ
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxUnregisterPhysicsSerializers
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxSetPhysXDelayLoadHook
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6872 -s 324
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3352 -s 316
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterUnifiedHeightFields
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterPhysicsSerializers
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterParticles
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterHeightFields
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterCloth
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterArticulations
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2244 -s 316
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxGetValue
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxGetPhysicsBinaryMetaData
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseAddsProperty@physx@@QEAA@XZJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbCCDPairsProperty@physx@@QEAA@XZJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbBroadPhaseAddsProperty@physx@@QEAA@XZJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbCCDPairsProperty@physx@@QEAA@XZJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxUnregisterPhysicsSerializersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxSetPhysXDelayLoadHookJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterUnifiedHeightFieldsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2188 -s 324Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterParticlesJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterHeightFieldsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterClothJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterArticulationsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxGetValueJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxGetPhysicsBinaryMetaDataJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 9VYSw7MFa8.dllStatic PE information: More than 130 > 100 exports found
Source: 9VYSw7MFa8.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 9VYSw7MFa8.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: 9VYSw7MFa8.dllStatic file information: File size 3023360 > 1048576
Source: 9VYSw7MFa8.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x259600
Source: 9VYSw7MFa8.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: 9VYSw7MFa8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\p4\sw\physx\PhysXSDK\3.3\RELEASE\3.3.0\bin\win64\PhysX3_x64.pdb source: loaddll64.exe, 00000000.00000002.3466662537.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2272545924.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2272824549.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2290740379.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.2326070126.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2364834966.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.2365312601.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.2322066492.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.2361235145.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2334228697.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.2349023947.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001D.00000002.2341019266.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001F.00000002.2333893498.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000020.00000002.2330646380.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.2338004255.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmp, 9VYSw7MFa8.dll
Source: 9VYSw7MFa8.dllStatic PE information: section name: text
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFD945D2645 push 00000031h; iretq 0_2_00007FFD945D2650
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFD945D3044 push rbp; iretd 0_2_00007FFD945D3050
Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFD945D2304 push rbx; retf 0_2_00007FFD945D2305
Source: C:\Windows\System32\rundll32.exeCode function: 27_2_00007FFD945D2645 push 00000031h; iretq 27_2_00007FFD945D2650
Source: C:\Windows\System32\rundll32.exeCode function: 27_2_00007FFD945D3044 push rbp; iretd 27_2_00007FFD945D3050
Source: C:\Windows\System32\rundll32.exeCode function: 27_2_00007FFD945D2304 push rbx; retf 27_2_00007FFD945D2305
Source: C:\Windows\System32\rundll32.exeCode function: 32_2_00007FFD945D2645 push 00000031h; iretq 32_2_00007FFD945D2650
Source: C:\Windows\System32\rundll32.exeCode function: 32_2_00007FFD945D3044 push rbp; iretd 32_2_00007FFD945D3050
Source: C:\Windows\System32\rundll32.exeCode function: 32_2_00007FFD945D2304 push rbx; retf 32_2_00007FFD945D2305
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.9.drBinary or memory string: VMware
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.drBinary or memory string: vmci.sys
Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.drBinary or memory string: VMware20,1
Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1Jump to behavior
Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping21
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1503244 Sample: 9VYSw7MFa8.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 48 37 Multi AV Scanner detection for submitted file 2->37 8 loaddll64.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 15 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 16 12->20         started        22 WerFault.exe 16 14->22         started        24 WerFault.exe 16 16->24         started        26 WerFault.exe 16 16->26         started        28 WerFault.exe 16 16->28         started        30 WerFault.exe 16 16->30         started        process6 32 WerFault.exe 23 16 18->32         started        dnsIp7 35 20.189.173.20, 443, 62028, 62029 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->35

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9VYSw7MFa8.dll46%ReversingLabsWin64.Trojan.Ulise
9VYSw7MFa8.dll57%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.9.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
20.189.173.20
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1503244
Start date and time:2024-09-03 08:51:05 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 7m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:42
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:9VYSw7MFa8.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41.exe
Detection:MAL
Classification:mal48.winDLL@81/28@0/1
EGA Information:Failed
HCA Information:Failed

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.189.173.21
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target loaddll64.exe, PID 3916 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 3184 because there are no executed function
  • Execution Graph export aborted for target rundll32.exe, PID 7260 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

TimeTypeDescription
02:52:10API Interceptor7x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
20.189.173.20Foto_03_02_2014_IMG_544134.zipGet hashmaliciousUnknownBrowse
    setup.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, StealcBrowse
      wechat-3.9.7-installer_ae-GFz1.exeGet hashmaliciousCoinhive, Crypto Miner, DarkComet, GhostRat, IcedID, LaZagne, Mini RATBrowse
        https://eu-central.storage.cloudconvert.com/tasks/004d6e18-5b09-432f-ae9a-7d0bef441692/%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240531%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240531T054225Z&X-Amz-Expires=86400&X-Amz-Signature=e44f950daf1a1a2004947d6b8b5f8aa77838142684691288964d6f5027abcb41&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22%40%21Pa%20sc0d%C3%A9__-NewFiLes.zip%22&response-content-type=application%2Fzip&x-id=GetObjectGet hashmaliciousVidarBrowse
          WhatsAppAnd2Ios1.dllGet hashmaliciousUnknownBrowse
            2.exeGet hashmaliciousSmokeLoaderBrowse
              8A1Qvcfs13.exeGet hashmaliciousLummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, StealcBrowse
                mtQwhI6PhJ.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRATBrowse
                  c3nBx2HQG2.exeGet hashmaliciousGlupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                    odB2NhqqLn.exeGet hashmaliciousUnknownBrowse

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      MICROSOFT-CORP-MSN-AS-BLOCKUShttps://www.therecoveryvillage.com/drug-addiction/signs-drug-addiction/Get hashmaliciousUnknownBrowse
                      • 150.171.30.10
                      avanss.exeGet hashmaliciousAgentTeslaBrowse
                      • 13.107.137.11
                      nxdgJVWkzl.exeGet hashmaliciousUnknownBrowse
                      • 13.107.137.11
                      5t47sm4uW3.exeGet hashmaliciousUnknownBrowse
                      • 13.107.137.11
                      nxdgJVWkzl.exeGet hashmaliciousUnknownBrowse
                      • 13.107.137.11
                      5t47sm4uW3.exeGet hashmaliciousUnknownBrowse
                      • 13.107.137.11
                      TBIG.exeGet hashmaliciousAveMaria, UACMe, XRedBrowse
                      • 13.107.246.57
                      https://xz0816.cn/Get hashmaliciousUnknownBrowse
                      • 150.171.27.10
                      https://shore-alkaline-canvas.glitch.me/public/nfcu703553.HTMLGet hashmaliciousHTMLPhisherBrowse
                      • 150.171.27.10
                      https://src-assistanceclient.com/robots.txtGet hashmaliciousUnknownBrowse
                      • 13.74.129.1

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      a0e9f5d64349fb13191bc781f81f42e1TBIG.exeGet hashmaliciousAveMaria, UACMe, XRedBrowse
                      • 20.189.173.20
                      SecuriteInfo.com.Win64.CrypterX-gen.6281.7344.exeGet hashmaliciousUnknownBrowse
                      • 20.189.173.20
                      SecuriteInfo.com.Win64.CrypterX-gen.24089.24445.exeGet hashmaliciousUnknownBrowse
                      • 20.189.173.20
                      SecuriteInfo.com.Win64.CrypterX-gen.6281.7344.exeGet hashmaliciousUnknownBrowse
                      • 20.189.173.20
                      SecuriteInfo.com.Win64.CrypterX-gen.24089.24445.exeGet hashmaliciousUnknownBrowse
                      • 20.189.173.20
                      Review_0830.zipGet hashmaliciousUnknownBrowse
                      • 20.189.173.20
                      human-verification1.b-cdn.net.ps1Get hashmaliciousLummaCBrowse
                      • 20.189.173.20
                      0ScreenHunter.exeGet hashmaliciousLummaCBrowse
                      • 20.189.173.20
                      66d5ddcec1520_shtr.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                      • 20.189.173.20
                      66d5ddcbb9f86_vyre.exeGet hashmaliciousLummaC, VidarBrowse
                      • 20.189.173.20

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9VY_133a6e1f2aab4165aa1926e1a3c424eef5f0f8_b7b5fd31_3b1ffaf6-db89-45f1-8218-b4a4062180ea\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7588424460598515
                      Encrypted:false
                      SSDEEP:192:i6fuiEyU903VaxtjkuzuiFVpZ24lO89j:kipU+3VaxtjNzuiFTY4lO8p
                      MD5:9FD91A1A2BACB3144B806EAE832188A0
                      SHA1:D3E28A02ECB57BDDB0CF07D051D765BEF57F59FC
                      SHA-256:3396B0C19E6CCAC48460D75C6ECF72A95281FAC437185A652FCCBDA8541A40CF
                      SHA-512:E3FEFFE9C1A066B5B1E0C2AE158E1C1CBE6C4D8037AD1DCD336B6D50F5A30FE702D0841E5637387A7685BFA7949C0FE8EED2903DC184234B1D121088DE703840
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.8.1.9.9.2.5.6.0.5.5.7.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.8.1.9.9.2.6.1.9.9.3.2.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.1.f.f.a.f.6.-.d.b.8.9.-.4.5.f.1.-.8.2.1.8.-.b.4.a.4.0.6.2.1.8.0.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.b.4.c.f.5.6.-.0.7.7.7.-.4.c.8.2.-.9.7.3.c.-.a.f.d.3.5.d.1.4.3.4.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.9.V.Y.S.w.7.M.F.a.8...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.5.8.-.0.0.0.1.-.0.0.1.5.-.9.6.5.5.-.8.e.c.9.c.d.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9VY_133a6e1f2aab4165aa1926e1a3c424eef5f0f8_b7b5fd31_617e4786-43a4-47ba-9034-eda867f9c98e\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7589060749374354
                      Encrypted:false
                      SSDEEP:96:KkXBFNMipyKy3sjn4Rv8bvfzQXIDcQZc6RcEAcw3NdXaXz+HbHgSQgJjch88WpOa:pkipy3903VaxtjkuzuiFVOZ24lO89j
                      MD5:5A6BBBD42651A3A186DDB23B7928917B
                      SHA1:72E415E4A969636AD2EC3F2F041435FC4ACC77E2
                      SHA-256:8E693ED32EA3C7FA454B41142EEF0524669FB6BAE15795114A83386F9D19E236
                      SHA-512:6E8233237011CBFE8BF127F41CEE0389BBC67564EB96FF3AC8249D94938A28DBA2838B48128302B63DD9DD5AE2B6C0C1F3E0DE915DA58A84A7EC6CB9331ACB6D
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.8.1.9.9.3.5.7.8.3.8.4.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.8.1.9.9.3.7.4.4.0.0.9.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.7.e.4.7.8.6.-.4.3.a.4.-.4.7.b.a.-.9.0.3.4.-.e.d.a.8.6.7.f.9.c.9.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.2.4.7.1.d.2.-.5.2.5.c.-.4.7.9.f.-.a.2.0.4.-.3.c.8.6.3.c.c.9.d.4.b.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.9.V.Y.S.w.7.M.F.a.8...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.1.8.-.0.0.0.1.-.0.0.1.5.-.c.e.2.5.-.f.6.c.e.c.d.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9VY_133a6e1f2aab4165aa1926e1a3c424eef5f0f8_b7b5fd31_e9f29c48-c3ed-4dbe-9c63-2e5d70125d78\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7586538336810349
                      Encrypted:false
                      SSDEEP:192:S9v/i1Hy9903VaxtjkuzuiFVpZ24lO89j:u/iw9+3VaxtjNzuiFTY4lO8p
                      MD5:90C66FB05066F5828A82814368D40429
                      SHA1:E18067520EB26C33839AFA2966318AEAD3BCD749
                      SHA-256:1199820160E1AD4430CCA1449BCD2CB4E09D5D03E2DA680AFE958EABB2C89DE9
                      SHA-512:399A658B6EF14267B3085130786ACC925AC043D0F24694CDF83BA16D571B1E0F6EBFE016877FE903C824BDAFA371B5E9CF4C18F2671766CF5B9BF034337818B6
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.8.1.9.9.2.5.6.1.3.2.8.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.8.1.9.9.2.6.0.9.7.6.5.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.f.2.9.c.4.8.-.c.3.e.d.-.4.d.b.e.-.9.c.6.3.-.2.e.5.d.7.0.1.2.5.d.7.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.8.e.c.1.b.8.-.2.4.2.a.-.4.f.c.a.-.a.3.f.a.-.d.e.6.3.5.4.3.0.1.e.a.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.9.V.Y.S.w.7.M.F.a.8...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.8.c.-.0.0.0.1.-.0.0.1.5.-.8.8.b.3.-.8.f.c.9.c.d.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9VY_1f1244b028f38027779a2f67ff3de63ac2f897_b7b5fd31_32b4c81c-2d92-4fe9-a0f8-e6d4f3569208\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7591231056894323
                      Encrypted:false
                      SSDEEP:192:/dQAYiuy64u03VZRlBjkuzuiFVpZ24lO89j1://YiT1V3VZRlBjNzuiFTY4lO8p1
                      MD5:47A0567000FCD2EF31C734F752BCB397
                      SHA1:F8B796E2124FE68161A9ECA5843FE5A95CEA139B
                      SHA-256:0ACAAB41F41CBE8CDFB32320995EF6926796A546865884CA2E18F30D2319EF8A
                      SHA-512:BDC86A19437855075D0E76EA9163DEA26C6A633303F05A7B33A4E1300E918D38D988DD12B0F49581C32DD3EB681F52346A0EB614502A8F97EFBA782BD7A1DACE
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.8.1.9.9.2.8.6.2.8.8.1.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.8.1.9.9.2.9.7.8.5.0.7.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.b.4.c.8.1.c.-.2.d.9.2.-.4.f.e.9.-.a.0.f.8.-.e.6.d.4.f.3.5.6.9.2.0.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.8.3.9.3.5.0.-.6.d.7.a.-.4.a.6.e.-.a.6.e.e.-.e.9.6.4.e.0.0.4.0.f.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.9.V.Y.S.w.7.M.F.a.8...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.7.8.-.0.0.0.1.-.0.0.1.5.-.8.d.a.d.-.5.b.c.b.c.d.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9VY_1f1244b028f38027779a2f67ff3de63ac2f897_b7b5fd31_74ec7d9f-3f89-4f59-9f04-9b89aac60231\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7588894189450676
                      Encrypted:false
                      SSDEEP:192:dVGimy+u03VZRlBjkuzuiFVOZ24lO89j:Gib+V3VZRlBjNzuiF4Y4lO8p
                      MD5:E1493EAAF873158620478B4356F0493B
                      SHA1:45D57AFDA3CF0E0228D8C328567EDA2B15A6AA50
                      SHA-256:9F1245A1E6DC5C09761DAAD16FC22BF6D6E58618EAC2630E085B7A1AD0359795
                      SHA-512:72FD38E8D1B8A6AE64F648623BC1FDF31F0EC59F131D290C0F9578ADB40718115E04B56DD6AB4740588E9E8F148A1F6E5C62C2DA4826252303D83416CBC4BBB1
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.8.1.9.9.3.5.8.9.6.3.1.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.8.1.9.9.3.7.5.5.2.5.5.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.e.c.7.d.9.f.-.3.f.8.9.-.4.f.5.9.-.9.f.0.4.-.9.b.8.9.a.a.c.6.0.2.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.e.8.7.b.3.7.-.f.5.1.5.-.4.0.a.c.-.9.b.4.e.-.9.a.f.8.e.0.6.b.f.f.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.9.V.Y.S.w.7.M.F.a.8...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.d.8.-.0.0.0.1.-.0.0.1.5.-.b.e.f.9.-.f.a.c.e.c.d.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9VY_3cf26e5aa2344286f6f0aa7d294dd387217cdf2_b7b5fd31_4b938b76-85b5-41b3-9ef2-d4b4904e7a97\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7562886575732334
                      Encrypted:false
                      SSDEEP:96:K1XbFAI0MibyKy6Qsjn4Rv8bvfzQXIDcQZc6RcEncw3NGXaXz+HbHgSQgJjch88N:43iby6QN03VNmjkuzuiFVpZ24lO89j
                      MD5:DDDE71C8641F551AF18621E0715ECA30
                      SHA1:7B629E70E552CB99413762A5002CABCB399F8783
                      SHA-256:5BD5A4D54BB3270F6CAA3185121947C6687C38565C077722F440C2E5DC9F424F
                      SHA-512:8AC0BFD36932984247CA66D7E8AFB5E2FE1BEDEE9A14EB6188EDCFC5D340CBACC4E6EAAA5E883FF8CAADDC137D64FB5970A127A149F20D185AB45865F3773C14
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.8.1.9.9.3.1.5.5.7.2.6.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.8.1.9.9.3.2.6.5.1.0.1.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.9.3.8.b.7.6.-.8.5.b.5.-.4.1.b.3.-.9.e.f.2.-.d.4.b.4.9.0.4.e.7.a.9.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.5.8.5.3.a.8.-.f.d.b.f.-.4.9.f.f.-.8.5.5.8.-.c.8.c.2.3.d.2.3.b.1.5.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.9.V.Y.S.w.7.M.F.a.8...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.c.-.0.0.0.1.-.0.0.1.5.-.f.6.9.a.-.2.7.c.d.c.d.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_9VY_924a4bda7f67957a8566f274ba57f2af4c76279_b7b5fd31_9ddc0777-4eac-4c0b-ad05-fbd2d5f873a8\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7590972999795893
                      Encrypted:false
                      SSDEEP:96:KpX3FwjFMiuyKyasjn4Rv8bvfZQXIDcQZc6RcEwcw3EQzXaXz+HbHgSQgJjch88U:gyaiuyan03VawsjkuzuiFVOZ24lO89j
                      MD5:87A2D0B6B7E09B3F6AFF50C7170E555C
                      SHA1:04E4E6A4ECF2A63A42495CC034C2AC62C1CEF381
                      SHA-256:686EAE971EE6CAA222756750F8D8A592476BF25DB06F2FE9386499E9DEBB3224
                      SHA-512:69E4BC71F3F4AFC8C95D58178F1DC1B7A372CE27E150149D648C81D2A7A957C91113F8F2D9266ACA3FE6315A943E95B52EF3A4B38E30C708B9F45EDF9616761C
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.8.1.9.9.3.6.3.7.8.4.1.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.8.1.9.9.3.7.5.5.0.2.7.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.d.c.0.7.7.7.-.4.e.a.c.-.4.c.0.b.-.a.d.0.5.-.f.b.d.2.d.5.f.8.7.3.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.c.9.c.1.7.6.-.9.6.d.6.-.4.4.0.5.-.a.2.4.1.-.f.2.3.b.4.c.4.7.3.7.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.9.V.Y.S.w.7.M.F.a.8...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.c.4.-.0.0.0.1.-.0.0.1.5.-.c.4.2.3.-.0.9.c.f.c.d.f.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER59F3.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Tue Sep 3 06:52:05 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):56000
                      Entropy (8bit):1.6511377529106661
                      Encrypted:false
                      SSDEEP:192:xK417OtOM/vqM4xGi3qiGOED2fYyRJP2VN+WLy:Q4FHM4xbC+K
                      MD5:B619C2CE18A94CD8698C1EC8F8A81CB2
                      SHA1:FD408E3C5CC459CD1E760379803D82F10E266334
                      SHA-256:38B8B20EB86EB108C8D7BFDC0BBA6B36288F07839F67F00B7253E9550179FDB6
                      SHA-512:C183F21AC55F9072561C3257EEAB1E8D1C7CC993B85C7C157522CB583041227683F1C3D8530161207FCE617407227AAA9707B5A75211256C3988994B37A6B33D
                      Malicious:false
                      Preview:MDMP..a..... ..........f.........................................(..........T.......8...........T...........0...............|...........h...............................................................................eJ..............Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A02.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Tue Sep 3 06:52:05 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):56724
                      Entropy (8bit):1.6217001751749294
                      Encrypted:false
                      SSDEEP:192:xSC46+QnOMmMkCWf3bfcVaGjQs5k1efScxULsySEvIg2cSNxzw:0CX+QOTMkC2UzrVxjySEvZ2cSHw
                      MD5:4BC5829907F313911596C79C042852C9
                      SHA1:056AFB1CEBA23EA6941D5E10EB88C8875A93609C
                      SHA-256:D979EF9FCA2AE3954604A3C0D4D70747FF7F0DB29B8A6F652B972C6A7E48B7F3
                      SHA-512:D8CE87033A7D19D67EEEEFD8F34216D16FD63CD74FFECEAC6EE3D2F17627A2F3338C74F859F12541B0DB20DE6750D6EFFAD20202B048626857D16583CDB653E2
                      Malicious:false
                      Preview:MDMP..a..... ..........f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T.......X......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AAF.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8762
                      Entropy (8bit):3.702631180577917
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJ1t88aE+IB6YMUZgmf5ZrUpr089bw4BfYQm:R6lXJ128L+u6YPZgmf5ZrwwOfW
                      MD5:1F8142E5BF96A435B3328521230C97CC
                      SHA1:1655E3F0E5A3AEC0A8A15C3972FF2A73E50FDA3C
                      SHA-256:276FA557712F22D7AF34644D25C9C2D1154EEC051D08A83A345D8485B113B32C
                      SHA-512:5DFBB812A4DC36388F524A4AF34A6DAB428E909C0023A069D2F49054A4E230D89C207D86C58F41534AD6C180D12C498B87F0CAC1D468FB2348F3A4965A28C76F
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.5.2.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5ACE.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8770
                      Entropy (8bit):3.70399204696156
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJWp8l+u6YEJufgmf5ZrUprM89bwQBf+xQm:R6lXJI8l+u6Y6egmf5ZrowWf+T
                      MD5:7626455EB9BC1802C0092FC384F5C6E1
                      SHA1:295CDD963A9FFD10401BDD60B2D5636A047BF99A
                      SHA-256:EFD899794CD99019466914A3A3921D32A00B72F7CA631315ACF03DCFB92302C5
                      SHA-512:07F20D12AAA8564E6AE393018E2EC9A297663D4C19275F25AAC56EEDAC367ED9E46A04040A49E8628EF484A6B69DD285DD8E2BE5A7055AF4099962B0476C544E
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.8.8.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B0E.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4754
                      Entropy (8bit):4.504660277749048
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsU4Jg771I9ReWpW8VYbYm8M4JCKCorFTyq85mJ6sptSTSjd:uIjfU+I7qf7VPJdispoOjd
                      MD5:1CCD050CA32006DF62A191090489EE85
                      SHA1:4D639816865060F59C3C1EF016551B057D8C98B6
                      SHA-256:4EDED4F31639FC1EBC82AD7B31AC7E590EE17B41D838267567D8DD82773C10FC
                      SHA-512:DEE8B94360132C5735A6145E80E6B5ECCA419F77FDCBA631E99CE64056A4A6FE231F21FC2DF6BE7FBAC8360F7D1417A42E06925D8D7EB65B08357B55F2688C81
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="483714" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER65D9.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Tue Sep 3 06:52:08 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):54628
                      Entropy (8bit):1.6698810541020017
                      Encrypted:false
                      SSDEEP:192:AIVW4OjEOM+dmM6olx44YEEEFelsMbC7g3vCIPwjh4/awfkkkNhPCcQ41rHFnU4U:UD3JdmM6olHJk0M
                      MD5:D421AE9515390480598B11F01EC3E087
                      SHA1:0DD9F52F5AE5829F1F3FC960EEB03E1C5558067E
                      SHA-256:9C3E7B62C2A6E7ED61CF3B68E6CC74D54E66B67FC2D698CB9F0BE2C49A3E76C6
                      SHA-512:BF920250627F53D7DDF02DC60298F8DDD55ED87D5711BE3C917D767D30E2FC098968FA1406F13EF01B42FA6CA9855CE8A7CD017916B3586B1882483E31AB922D
                      Malicious:false
                      Preview:MDMP..a..... ..........f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T.......x......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6713.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8762
                      Entropy (8bit):3.705184739719996
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJWMO8h+0Ue6YMiZgmf5wWlwprG89bMDbfDTEm:R6lXJ88h+W6YRZgmf5wWlaMffx
                      MD5:0429E6B7999B7F81C0F9D8A6D0BA5113
                      SHA1:93AD33E9F8C38E61F7347B128009E3B31CDD5B0C
                      SHA-256:9F98B2ECD4AA8C966F85452A50387C745B50C3E638821B4C8FE78F76EDB2A50D
                      SHA-512:AE0617B1252861F01CD0D2BE3080736C8E0A6464338AB4C95E8085CFF9D3214A453B1054678CDBA6D0FCCF397D9C003956C317B0BDC4FA36785ED05B33DA21F4
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.0.4.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER689B.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4754
                      Entropy (8bit):4.499532557936704
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsU4Jg771I9ReWpW8VYGYm8M4JCKCooFTCyq85mJyptSTSEd:uIjfU+I7qf7VqJKCqpoOEd
                      MD5:23597ADA7B3FA5CA1109F0060446AEEA
                      SHA1:0C86348CA8FA50D75328F5D9B0A488D5ADB63E2D
                      SHA-256:4F4C0444466FF742000BA7935C8A557811B6C6473EE6F537EAC2F05EF582B908
                      SHA-512:518A02F9EA1DAD480DDBEEA95009FD14FE9441918E16DBF29FE3DFC7A43EE4949CFB06B71BE90E640E9D71525836E3567FEB61EE2CC3ACC1CBC73B17F0BEF8DE
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="483714" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7134.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Tue Sep 3 06:52:11 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):56196
                      Entropy (8bit):1.6347608544532282
                      Encrypted:false
                      SSDEEP:192:rp4+HCl/TpBNOMbcXvMEvZuhLV2OlyUkjiK5x/CbctzRi1MHuC:tDit1qK6MEvZc8xz2M
                      MD5:389B14557A59F1050D20834A0A52B9E0
                      SHA1:75DEE4F84D63BF9A2477300B4BE81D1C502F51FA
                      SHA-256:93BDA09A58FE2609B90EB3CA8CBE616A4959D394E6462EA43D7DBA97F7120795
                      SHA-512:F410A032B0262E51B57818FFE053CB092AA186D33769946DE9A862E9F22359A5E681BC03EEBAF8B2CAE533997738620A892F35BAAF27B403FDA7BCAA69851F2C
                      Malicious:false
                      Preview:MDMP..a..... ..........f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7183.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8510
                      Entropy (8bit):3.7006574245161223
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJhm83+IB6YMeZgmf5JcprG89b1bWfqnm:R6lXJg83+u6YNZgmf5JW1afz
                      MD5:8E8739B1A38497064D64D0C3AAD75886
                      SHA1:C17D3341E9214D3DB93F59729CBFC45A9B279293
                      SHA-256:0B90E9B11EBCC8A4A68BF6023C67C5908D451C9FF6C915EEF66ED6B35412980C
                      SHA-512:9BD48BDA2470B2E1ECA4F230B96166D31A8A4C4427B0445ACF7BF52FF55E29E64FFB262453479E2C31E70DE85F9931653626BFB80505451770D2E8F9DF83D2E3
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.8.4.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER71A3.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4753
                      Entropy (8bit):4.503549869665457
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsU4Jg771I9ReWpW8VYH6Ym8M4JCKCoBFEkwyq85mJiptSTS2d:uIjfU+I7qf7V2J9wKpoO2d
                      MD5:E5846462474EF7D32ECAB5D241739535
                      SHA1:F08EA2AF356FFFF807546CC7917276999E3E7D45
                      SHA-256:49C280EECD5306EC5A05AF75ABD7160928A0D9923AA7E391B718D9DC0599B916
                      SHA-512:DCAE69832BC4E95891DA9C1314B565C923ED56194374528124153F2EEF6E5C5455787DF8610AC400E3DDA26ADFCD6E1C87ACE7027F2884DB06DCE13085DE3CFA
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="483714" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER81AE.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Tue Sep 3 06:52:15 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):58052
                      Entropy (8bit):1.5948829511054752
                      Encrypted:false
                      SSDEEP:192:nwC4U6uiOMhFTLMPB38yKKK59WOMld82ffxsjZvSH1NThC0:wCdt96LMPB3LKKKv2ntC
                      MD5:6E30FDEF009913CAFEB380D4E01E7DCC
                      SHA1:24CA1DFA0C49CEA73B921B247B9278D79B1F6EC9
                      SHA-256:AD032272C8F94D4E4C531BC702330C91CAA15675BA216140EA804BE9E47AD526
                      SHA-512:DA22806F2E3DEF9344B0E90A12B4F43A61BC5CDEB511C1AC5C9FF3AE81B0717D71ABD41AD32E54FD5B534AA1FCD064A001AFA65EE9AC9B698F7739CB4528D250
                      Malicious:false
                      Preview:MDMP..a..... ..........f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER827A.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Tue Sep 3 06:52:16 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):56532
                      Entropy (8bit):1.6298587999203897
                      Encrypted:false
                      SSDEEP:192:494iAv19YXOMxMlQ1NmiDNyX95tWHSBK798uGtA61:EDI1YMlQt7GuGt
                      MD5:D4734F41E2118F59C8FFECAE5A187499
                      SHA1:E073153E3CC40FBA9007C84F3A571E258B4E0632
                      SHA-256:560F7C024950159D1260581BC5CDAEB0F96153F009F102D14EB1A844FBDE5B22
                      SHA-512:0D01C39A0F5DE18EA7DF128220621BA04139D0A7D534634B10A09CEF63792F4610524E7164DC871F5092CBEE0EFA8F92938EA5B0658D16297BFE65EFC6DEA794
                      Malicious:false
                      Preview:MDMP..a..... ....... ..f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8326.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8768
                      Entropy (8bit):3.70237321470177
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJS983+LB6YMxKgmf5ZrUpr589b6F/bfM+m:R6lXJQ83+96YaKgmf5Zrf6Fzfs
                      MD5:AA9C58BC7ADAE6606E9A19449A343680
                      SHA1:67864BF3A9E907FB956AB14305952D4FA3ACECA3
                      SHA-256:02F37FEAB88774A7A187C12E10144AD7860EB124E9360097B0D4C5B7A7C4BA3D
                      SHA-512:8784881866050173457D6F19C6484BE2ED74890046C321A96ABD861BD1881C66F78A1DB8B1D9109187317EF0A7D1344F0EF855F676B4BFB341939B8662C02772
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.5.2.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8400.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Tue Sep 3 06:52:16 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):57732
                      Entropy (8bit):1.6055588075693363
                      Encrypted:false
                      SSDEEP:192:4p4XSk+3OMMNyQlJl4MYY0gT8s884n2ExbolW/w9oDVy5eeSpE+:0iSmDNOMYY0Nl/o/SpE
                      MD5:48C6C7EE13A575D75924AF82436E92FF
                      SHA1:EBA8B43D2984927372D8AB66073761BEAC5D9359
                      SHA-256:E9F1C2DB551AB204AD005B51AA1D187209DAB2805A65B016595143B794DC6169
                      SHA-512:665A537EEFBB5768AB9E559B961E90D710076E41D2400B7F64FF3EFAB8F30B64B39D561EBE1F9E2E8099183CC3893D276070071D6D12EF297972429F6EB62D59
                      Malicious:false
                      Preview:MDMP..a..... ....... ..f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8420.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8768
                      Entropy (8bit):3.7057956013315745
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJm08f+96YMkPgmf5wWlwprR289b6gbfEX+m:R6lXJN8f+96YvPgmf5wWlif60fK
                      MD5:57CDE7872B3166FDA7F8CF5FA3B924A9
                      SHA1:94CE170EAA04B8551F5F7C4E48E5571E51280861
                      SHA-256:68C2933E6453F55B3448189CAE20D64F6AC560452A9249630C2B021ACB03FE7D
                      SHA-512:BEAC253814D531AE251D05C55592BAEE8E62837BC8641A07811B71B4427526654FC321454B3FEDA210C6583B5CC0A82C1A7EF4C1E2BE9FC035FE03D313637CD9
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.7.2.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER84BE.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4754
                      Entropy (8bit):4.501725969242078
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsU4Jg771I9ReWpW8VYXCYm8M4JCKCooF5xyq85mJGTptSTShd:uIjfU+I7qf7VOrJieTpoOhd
                      MD5:3C1B297A00710E24692C49CBF6C873CF
                      SHA1:D47BE1600BA3C5FC26F76F81A9FBF64123F0D757
                      SHA-256:25D0156FC747352633DF5F7F06A9EEE591B4DAB904E2914995DC3E143665CF4E
                      SHA-512:0FDC6FF6090F664F4E7845E8B0F5F309E219D84202A5F1B1848F61E2AA66EC23D11BD0665233919A45C146BE5E21196E725D507A7C4C0F6F18D8FEC93F79E611
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="483714" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER84DD.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4754
                      Entropy (8bit):4.503065389152326
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsU4Jg771I9ReWpW8VYgYm8M4JCKCorF0uyq85mJKptSTS8d:uIjfU+I7qf7V4J6uipoO8d
                      MD5:8CDC545CDC663FA7097A031FA240B4D2
                      SHA1:1C8E27BE666E35E312D4C70BE0B80BE0F22ACD20
                      SHA-256:1BFD9F59DE06D75E8FC5BF18CF5B9F36219618E850702DBFF3909EA8154B8B38
                      SHA-512:F37321A108D502A730EDBD3919C2B9C84BC97DB7FC46150C7461AB4BEF2E07DD4240E6ED85C6A6549A789BF90EDBB5C5D03EAF1B9D5BB6A90881199B697023B0
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="483714" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER85A7.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8772
                      Entropy (8bit):3.70435729053257
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJtM86+e6YMgPgmf5rC/pru89b6/bfe+m:R6lXJ286+e6YLPgmf5rCF6zfe
                      MD5:F6A5DBF6F9EB7BDD13270EB96BD39EE0
                      SHA1:FE69DE99D9DD3B590AC2DA177092D2B0973F217F
                      SHA-256:507919BCBCA0B188D09116092ED7F5AE0F170D9B32CC8FC7411439CA76352DC1
                      SHA-512:9C6965D437EAD7AE497443BD13BB6531850CCED4F8D4C1A38C3E8138B9766EADFDECC6EB4E346C8D9BD627D316A256B19F5CD9BE4CCEE1F522BCAD7A7013C9AA
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.4.4.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER85E7.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4754
                      Entropy (8bit):4.5009189557231215
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsU4Jg771I9ReWpW8VY6Ym8M4JCKCoJFEsQyq85mJrptSTS1d:uIjfU+I7qf7VOJ0DpoO1d
                      MD5:00C6287FB878D9138A464A3A6DBFC634
                      SHA1:53C2FC74609B49B3FB16F27E9A17B3C6CC138DD6
                      SHA-256:0A0CEA87953ACC0E9F8F76B514E3C71C0C240A445E2D15F112AC2B34494E4212
                      SHA-512:1EF2F6751F29CAD790ECAEDD647D1847F575A82C3FC17EC37EB32F3F59DB212307BAE77687D2046508FA07A3EAE78DF1FFBCCB5136B959C9BA48DA307BCF48EF
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="483714" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\Windows\appcompat\Programs\Amcache.hve

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.469521005193833
                      Encrypted:false
                      SSDEEP:6144:VzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNMjDH5S:tZHtYZWOKnMM6bFpaj4
                      MD5:CB79C78B826836CF6CC9EE6CD39C9BFE
                      SHA1:565906241430D7893FCE023A3793DA92E9F9FD1E
                      SHA-256:99C5CD5BC4AA81A352F5455C3D31AA988AA10F5E811809430C4802C3A1BE5C55
                      SHA-512:E4EC544BAE365645D36F4FC69BDA7BCD2E7174FE8FD07DE44A8419CCCBA53071875E19A76210A8460E18BEBBB97031FA6A8C294A2075A4F86E42C78A10624CA6
                      Malicious:false
                      Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....................................................................................................................................................................................................................................................................................................................................................9..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                      Entropy (8bit):6.452054935419929
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                      • Win64 Executable (generic) (12005/4) 10.17%
                      • Generic Win/DOS Executable (2004/3) 1.70%
                      • DOS Executable Generic (2002/1) 1.70%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                      File name:9VYSw7MFa8.dll
                      File size:3'023'360 bytes
                      MD5:57439e19c45bc847f6d62825c1008108
                      SHA1:c58285c72a5d658f3e4de6c0704fd65eb4a4e298
                      SHA256:e7e674218a7d93595e33a092f4f519a65499651a398ca350f5a50e135e64fa41
                      SHA512:ab6658b2538d9894a88659b4a34a3475a2adb0db8e76abd1c54f83eb6707c40fa28ae46a8361268cc4a904ce32786e37a91dba33d8ae5b13a48db02e65968f2a
                      SSDEEP:49152:tIEFD9UfWifI29mfKQnMg2XgEl7MV/yTm:QU9yTm
                      TLSH:47E54A4562AD84E1E07B90BDD6DFBA1FF5213408071096CB06E44A9D6F33FE54BBA722
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b...&...&...&...I.<.$...=.=.I...=...6.../...%...&...z...=.<.$...=...'...=...'...=...'...Rich&...........................PE..d..

                      File Icon

                      Icon Hash:7ae282899bbab082

                      Static PE Info

                      General

                      Entrypoint:0x1802173ac
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x180000000
                      Subsystem:windows cui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x5252EF36 [Mon Oct 7 17:28:22 2013 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:2
                      File Version Major:5
                      File Version Minor:2
                      Subsystem Version Major:5
                      Subsystem Version Minor:2
                      Import Hash:d8cf501f2ead6a968abf3df1e5f5d366

                      Entrypoint Preview

                      Instruction
                      dec eax
                      xor eax, eax
                      dec eax
                      inc eax
                      ret
                      je 00007FB1044FFCA6h
                      adc byte ptr [edi+48h], dl
                      sub esp, 20h
                      dec ecx
                      mov edi, eax
                      mov ebx, edx
                      dec eax
                      mov esi, ecx
                      cmp edx, 01h
                      jne 00007FB1044FFC87h
                      call 00007FB10450584Ch
                      dec esp
                      mov eax, edi
                      mov edx, ebx
                      dec eax
                      mov ecx, esi
                      dec eax
                      mov ebx, dword ptr [esp+30h]
                      dec eax
                      mov esi, dword ptr [esp+38h]
                      dec eax
                      add esp, 20h
                      pop edi
                      jmp 00007FB1044FFB2Ch
                      int3
                      int3
                      int3
                      movapd xmm1, xmm0
                      dec eax
                      arpl dx, ax
                      dec eax
                      add eax, 000003FFh
                      dec eax
                      shl eax, 34h
                      dec eax
                      mov dword ptr [esp+08h], eax
                      movsd xmm0, qword ptr [esp+08h]
                      mulsd xmm0, xmm1
                      ret
                      int3
                      int3
                      int3
                      xor eax, eax
                      test cl, 00000001h
                      lea edx, dword ptr [eax+08h]
                      cmovne eax, edx
                      test cl, 00000002h
                      je 00007FB1044FFC85h
                      or eax, 10h
                      test cl, 00000004h
                      je 00007FB1044FFC85h
                      or eax, 04h
                      test dl, cl
                      je 00007FB1044FFC85h
                      or eax, 01h
                      test cl, 00000010h
                      je 00007FB1044FFC85h
                      or eax, 20h
                      mov ecx, eax
                      jmp 00007FB104503C18h
                      int3
                      int3
                      int3
                      dec eax
                      sub esp, 38h
                      xor eax, eax
                      test dl, 00000001h
                      movaps esp+20h, dqword ptr [xmm6]
                      lea ecx, dword ptr [eax+08h]
                      movaps xmm6, xmm0
                      cmovne eax, ecx
                      test dl, 00000002h
                      je 00007FB1044FFC85h
                      or eax, 10h
                      test dl, 00000004h
                      je 00007FB1044FFC85h
                      or eax, 04h
                      test cl, dl
                      je 00007FB1044FFC85h
                      or eax, 01h
                      test dl, 00000000h

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ C ] VS2010 SP1 build 40219
                      • [ASM] VS2010 SP1 build 40219
                      • [IMP] VS2008 SP1 build 30729
                      • [C++] VS2010 SP1 build 40219
                      • [EXP] VS2010 SP1 build 40219
                      • [RES] VS2010 SP1 build 40219
                      • [LNK] VS2010 SP1 build 40219

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x2acd900x2565.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2ac4b80x28.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e50000x370.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2be0000x22914.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e60000x3464.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x25b4200x1c.rdata
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x25b0000x2a8.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2a674c0x40.rdata
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x25949a0x2596002f874068ef01177a8154d0795ca97339unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x25b0000x542f50x544009e033081d6bad978004a123b1f7f23ceFalse0.28494470975519287data5.8455739301495955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x2b00000xd5580x9a003bc99e27eb12786548718b798c708c05False0.16832386363636365data3.8581214302782416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .pdata0x2be0000x229140x22a005fc2a3e01e2d5b02d363402656eb02ddFalse0.4788047157039711data6.31744475333095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      text0x2e10000x12680x140084fb5b732b2e0edf08b27d33c8235aa4False0.4982421875data5.569586572462058IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE
                      data0x2e30000x15d00x1600299d45ab57f973b79e4772e7e093314bFalse0.7329545454545454data6.636519163646347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x2e50000x3700x4007a1abc67b9e0bd87d50cae7b9822bc23False0.380859375data2.919366717567658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x2e60000x501e0x52003f385ebac9df14d34a8eb9633b197cd0False0.1408155487804878data4.310837515817458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x2e50600x310dataEnglishUnited States0.4528061224489796

                      Imports

                      DLLImport
                      KERNEL32.dllMapViewOfFile, GetLastError, CreateFileMappingA, GetCurrentProcessId, GetVersionExA, CloseHandle, UnmapViewOfFile, LoadLibraryA, GetProcAddress, GetModuleHandleA, DecodePointer, EncodePointer, HeapAlloc, GetCurrentThreadId, FlsSetValue, GetCommandLineA, HeapFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, TerminateProcess, GetCurrentProcess, WriteFile, GetStdHandle, GetModuleFileNameW, GetLocaleInfoW, GetModuleHandleW, ExitProcess, HeapSetInformation, GetVersion, HeapCreate, HeapDestroy, Sleep, HeapSize, RtlUnwindEx, RaiseException, RtlPcToFileHeader, FlsGetValue, FlsFree, SetLastError, GetCurrentThread, FlsAlloc, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, SetConsoleCtrlHandler, LoadLibraryW, FreeLibrary, HeapReAlloc, SetStdHandle, WriteConsoleW, MultiByteToWideChar, LCMapStringW, GetStringTypeW, FlushFileBuffers, CreateFileW, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, LocalAlloc, LocalFree

                      Exports

                      NameOrdinalAddress
                      ??0NbBroadPhaseAddsProperty@physx@@QEAA@XZ10x180099180
                      ??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZ20x1800991c0
                      ??0NbCCDPairsProperty@physx@@QEAA@XZ30x1800992c0
                      ??0NbDiscreteContactPairsProperty@physx@@QEAA@XZ40x180099240
                      ??0NbModifiedContactPairsProperty@physx@@QEAA@XZ50x180099280
                      ??0NbShapesProperty@physx@@QEAA@XZ60x180099200
                      ??0NbTriggerPairsProperty@physx@@QEAA@XZ70x180099300
                      ??0ProjectionPlaneProperty@physx@@QEAA@XZ80x1800993b0
                      ??0PxActorGeneratedInfo@physx@@QEAA@XZ90x18008f570
                      ??0PxActorGeneratedValues@physx@@QEAA@PEBVPxActor@1@@Z100x18008bf40
                      ??0PxAggregateGeneratedInfo@physx@@QEAA@XZ110x18008f220
                      ??0PxAggregateGeneratedValues@physx@@QEAA@PEBVPxAggregate@1@@Z120x18008cd00
                      ??0PxArticulationGeneratedInfo@physx@@QEAA@XZ130x180090020
                      ??0PxArticulationGeneratedValues@physx@@QEAA@PEBVPxArticulation@1@@Z140x18008cbd0
                      ??0PxArticulationJointGeneratedInfo@physx@@QEAA@XZ150x18008fca0
                      ??0PxArticulationJointGeneratedValues@physx@@QEAA@PEBVPxArticulationJoint@1@@Z160x18008c930
                      ??0PxArticulationLinkGeneratedInfo@physx@@QEAA@XZ170x18008fc00
                      ??0PxArticulationLinkGeneratedValues@physx@@QEAA@PEBVPxArticulationLink@1@@Z180x18008c650
                      ??0PxBoxGeometryGeneratedInfo@physx@@QEAA@XZ190x1800918c0
                      ??0PxBoxGeometryGeneratedValues@physx@@QEAA@PEBVPxBoxGeometry@1@@Z200x18008e5b0
                      ??0PxCapsuleGeometryGeneratedInfo@physx@@QEAA@XZ210x180091900
                      ??0PxCapsuleGeometryGeneratedValues@physx@@QEAA@PEBVPxCapsuleGeometry@1@@Z220x18008e5d0
                      ??0PxClothFabricGeneratedInfo@physx@@QEAA@XZ230x18008f2b0
                      ??0PxClothFabricGeneratedValues@physx@@QEAA@PEBVPxClothFabric@1@@Z240x18008d1d0
                      ??0PxClothFabricPhaseGeneratedInfo@physx@@QEAA@XZ250x180091db0
                      ??0PxClothFabricPhaseGeneratedValues@physx@@QEAA@PEBUPxClothFabricPhase@1@@Z260x18008e760
                      ??0PxClothGeneratedInfo@physx@@QEAA@XZ270x180090610
                      ??0PxClothGeneratedValues@physx@@QEAA@PEBVPxCloth@1@@Z280x18008eba0
                      ??0PxClothMotionConstraintConfigGeneratedInfo@physx@@QEAA@XZ290x180092ab0
                      ??0PxClothMotionConstraintConfigGeneratedValues@physx@@QEAA@PEBUPxClothMotionConstraintConfig@1@@Z300x18008e9c0
                      ??0PxClothParticleDataGeneratedInfo@physx@@QEAA@XZ310x180092b40
                      ??0PxClothParticleDataGeneratedValues@physx@@QEAA@PEBVPxClothParticleData@1@@Z320x18008e9e0
                      ??0PxClothParticleGeneratedInfo@physx@@QEAA@XZ330x180091d50
                      ??0PxClothParticleGeneratedValues@physx@@QEAA@PEBUPxClothParticle@1@@Z340x18008e740
                      ??0PxClothStretchConfigGeneratedInfo@physx@@QEAA@XZ350x1800929a0
                      ??0PxClothStretchConfigGeneratedValues@physx@@QEAA@PEBUPxClothStretchConfig@1@@Z360x18008e980
                      ??0PxClothTetherConfigGeneratedInfo@physx@@QEAA@XZ370x180092a50
                      ??0PxClothTetherConfigGeneratedValues@physx@@QEAA@PEBUPxClothTetherConfig@1@@Z380x18008e9a0
                      ??0PxConstraintGeneratedInfo@physx@@QEAA@XZ390x1800902c0
                      ??0PxConstraintGeneratedValues@physx@@QEAA@PEBVPxConstraint@1@@Z400x18008cde0
                      ??0PxConvexMeshGeometryGeneratedInfo@physx@@QEAA@XZ410x1800919c0
                      ??0PxConvexMeshGeometryGeneratedValues@physx@@QEAA@PEBVPxConvexMeshGeometry@1@@Z420x18008e630
                      ??0PxGeometryGeneratedInfo@physx@@QEAA@XZ430x18008e590
                      ??0PxGeometryGeneratedValues@physx@@QEAA@PEBVPxGeometry@1@@Z440x18008e5a0
                      ??0PxHeightFieldDescGeneratedInfo@physx@@QEAA@XZ450x180091be0
                      ??0PxHeightFieldDescGeneratedValues@physx@@QEAA@PEBVPxHeightFieldDesc@1@@Z460x18008efc0
                      ??0PxHeightFieldGeometryGeneratedInfo@physx@@QEAA@XZ470x180091b00
                      ??0PxHeightFieldGeometryGeneratedValues@physx@@QEAA@PEBVPxHeightFieldGeometry@1@@Z480x18008ef50
                      ??0PxLockedDataGeneratedInfo@physx@@QEAA@XZ490x18008e8f0
                      ??0PxLockedDataGeneratedValues@physx@@QEAA@PEBVPxLockedData@1@@Z500x18008e900
                      ??0PxMaterialGeneratedInfo@physx@@QEAA@XZ510x18008f3d0
                      ??0PxMaterialGeneratedValues@physx@@QEAA@PEBVPxMaterial@1@@Z520x18008bdc0
                      ??0PxMeshScaleGeneratedInfo@physx@@QEAA@XZ530x180091960
                      ??0PxMeshScaleGeneratedValues@physx@@QEAA@PEBVPxMeshScale@1@@Z540x18008e5f0
                      ??0PxParticleBaseGeneratedInfo@physx@@QEAA@XZ550x180090be0
                      ??0PxParticleBaseGeneratedValues@physx@@QEAA@PEBVPxParticleBase@1@@Z560x18008da60
                      ??0PxParticleFluidGeneratedInfo@physx@@QEAA@XZ570x180090eb0
                      ??0PxParticleFluidGeneratedValues@physx@@QEAA@PEBVPxParticleFluid@1@@Z580x18008dc10
                      ??0PxParticleReadDataGeneratedInfo@physx@@QEAA@XZ590x180092820
                      ??0PxParticleReadDataGeneratedValues@physx@@QEAA@PEBVPxParticleReadData@1@@Z600x18008e910
                      ??0PxParticleSystemGeneratedInfo@physx@@QEAA@XZ610x180090f90
                      ??0PxParticleSystemGeneratedValues@physx@@QEAA@PEBVPxParticleSystem@1@@Z620x18008dca0
                      ??0PxPhysicsGeneratedInfo@physx@@QEAA@XZ630x180090fe0
                      ??0PxPhysicsGeneratedValues@physx@@QEAA@PEBVPxPhysics@1@@Z640x18008de50
                      ??0PxPlaneGeometryGeneratedInfo@physx@@QEAA@XZ650x18008e720
                      ??0PxPlaneGeometryGeneratedValues@physx@@QEAA@PEBVPxPlaneGeometry@1@@Z660x18008e730
                      ??0PxRigidActorGeneratedInfo@physx@@QEAA@XZ670x18008f6d0
                      ??0PxRigidActorGeneratedValues@physx@@QEAA@PEBVPxRigidActor@1@@Z680x18008c080
                      ??0PxRigidBodyGeneratedInfo@physx@@QEAA@XZ690x18008f790
                      ??0PxRigidBodyGeneratedValues@physx@@QEAA@PEBVPxRigidBody@1@@Z700x18008c2c0
                      ??0PxRigidDynamicGeneratedInfo@physx@@QEAA@XZ710x18008f9a0
                      ??0PxRigidDynamicGeneratedValues@physx@@QEAA@PEBVPxRigidDynamic@1@@Z720x18008c4d0
                      ??0PxRigidStaticGeneratedInfo@physx@@QEAA@XZ730x18008fbc0
                      ??0PxRigidStaticGeneratedValues@physx@@QEAA@PEBVPxRigidStatic@1@@Z740x18008c5c0
                      ??0PxSceneDescGeneratedInfo@physx@@QEAA@XZ750x180091f60
                      ??0PxSceneDescGeneratedValues@physx@@QEAA@PEBVPxSceneDesc@1@@Z760x18008f080
                      ??0PxSceneGeneratedInfo@physx@@QEAA@XZ770x180091230
                      ??0PxSceneGeneratedValues@physx@@QEAA@PEBVPxScene@1@@Z780x18008e2e0
                      ??0PxSceneLimitsGeneratedInfo@physx@@QEAA@XZ790x180091e10
                      ??0PxSceneLimitsGeneratedValues@physx@@QEAA@PEBVPxSceneLimits@1@@Z800x18008e780
                      ??0PxShapeGeneratedInfo@physx@@QEAA@XZ810x1800903c0
                      ??0PxShapeGeneratedValues@physx@@QEAA@PEBVPxShape@1@@Z820x18008d040
                      ??0PxSimulationStatisticsGeneratedInfo@physx@@QEAA@XZ830x1800925e0
                      ??0PxSimulationStatisticsGeneratedValues@physx@@QEAA@PEBVPxSimulationStatistics@1@@Z840x18008e7d0
                      ??0PxSphereGeometryGeneratedInfo@physx@@QEAA@XZ850x180091a20
                      ??0PxSphereGeometryGeneratedValues@physx@@QEAA@PEBVPxSphereGeometry@1@@Z860x18008e6c0
                      ??0PxTolerancesScaleGeneratedInfo@physx@@QEAA@XZ870x180091190
                      ??0PxTolerancesScaleGeneratedValues@physx@@QEAA@PEBVPxTolerancesScale@1@@Z880x18008deb0
                      ??0PxTriangleMeshGeometryGeneratedInfo@physx@@QEAA@XZ890x180091a70
                      ??0PxTriangleMeshGeometryGeneratedValues@physx@@QEAA@PEBVPxTriangleMeshGeometry@1@@Z900x18008ef00
                      ??0RestvaluesProperty@physx@@QEAA@XZ910x180099370
                      ??0SimulationStatisticsProperty@physx@@QEAA@XZ920x180099340
                      ?PxCreateSpatialIndex@physx@@YAPEAVPxSpatialIndex@1@XZ930x180087ae0
                      ?createConvexMeshMirror@PxParticleGpu@physx@@SA_NAEBVPxConvexMesh@2@AEAVPxCudaContextManager@2@@Z940x180002680
                      ?createHeightFieldMirror@PxParticleGpu@physx@@SA_NAEBVPxHeightField@2@AEAVPxCudaContextManager@2@@Z950x180002600
                      ?createLink@PxArticulationLinkCollectionPropHelper@physx@@QEBAPEAVPxArticulationLink@2@PEAVPxArticulation@2@PEAV32@AEBVPxTransform@2@@Z960x1800990a0
                      ?createShape@PxRigidActorShapeCollectionHelper@physx@@QEBAPEAVPxShape@2@PEAVPxRigidActor@2@AEBVPxGeometry@2@AEAVPxMaterial@2@V?$PxFlags@W4Enum@PxShapeFlag@physx@@E@2@@Z970x1800990e0
                      ?createShape@PxRigidActorShapeCollectionHelper@physx@@QEBAPEAVPxShape@2@PEAVPxRigidActor@2@AEBVPxGeometry@2@PEBQEAVPxMaterial@2@GV?$PxFlags@W4Enum@PxShapeFlag@physx@@E@2@@Z980x180099130
                      ?createTriangleMeshMirror@PxParticleGpu@physx@@SA_NAEBVPxTriangleMesh@2@AEAVPxCudaContextManager@2@@Z990x180002580
                      ?getGeometry@PxShapeGeometryPropertyHelper@physx@@QEBA_NPEBVPxShape@2@AEAVPxBoxGeometry@2@@Z1000x180098fa0
                      ?getGeometry@PxShapeGeometryPropertyHelper@physx@@QEBA_NPEBVPxShape@2@AEAVPxCapsuleGeometry@2@@Z1010x180098fe0
                      ?getGeometry@PxShapeGeometryPropertyHelper@physx@@QEBA_NPEBVPxShape@2@AEAVPxConvexMeshGeometry@2@@Z1020x180099020
                      ?getGeometry@PxShapeGeometryPropertyHelper@physx@@QEBA_NPEBVPxShape@2@AEAVPxHeightFieldGeometry@2@@Z1030x180099060
                      ?getGeometry@PxShapeGeometryPropertyHelper@physx@@QEBA_NPEBVPxShape@2@AEAVPxPlaneGeometry@2@@Z1040x180099000
                      ?getGeometry@PxShapeGeometryPropertyHelper@physx@@QEBA_NPEBVPxShape@2@AEAVPxSphereGeometry@2@@Z1050x180098fc0
                      ?getGeometry@PxShapeGeometryPropertyHelper@physx@@QEBA_NPEBVPxShape@2@AEAVPxTriangleMeshGeometry@2@@Z1060x180099040
                      ?getGeometryType@PxShapeGeometryPropertyHelper@physx@@QEBA?AW4Enum@PxGeometryType@2@PEBVPxShape@2@@Z1070x180098f90
                      ?getReadWriteCudaBuffers@PxParticleDeviceExclusive@physx@@SAXAEAVPxParticleBase@2@AEAUPxCudaReadWriteParticleBuffers@2@@Z1080x180002020
                      ?registerPhysXIndicatorGpuClient@PxPhysXIndicatorDeviceExclusive@physx@@SAXAEAVPxPhysics@2@@Z1090x1800027a0
                      ?releaseConvexMeshMirror@PxParticleGpu@physx@@SAXAEBVPxConvexMesh@2@PEAVPxCudaContextManager@2@@Z1100x1800026c0
                      ?releaseHeightFieldMirror@PxParticleGpu@physx@@SAXAEBVPxHeightField@2@PEAVPxCudaContextManager@2@@Z1110x180002640
                      ?releaseTriangleMeshMirror@PxParticleGpu@physx@@SAXAEBVPxTriangleMesh@2@PEAVPxCudaContextManager@2@@Z1120x1800025c0
                      ?setExplicitCudaFlushCountHint@PxParticleGpu@physx@@SAXAEBVPxScene@2@I@Z1130x180002700
                      ?setFlags@PxParticleDeviceExclusive@physx@@SAXAEAVPxParticleBase@2@V?$PxFlags@W4Enum@PxParticleDeviceExclusiveFlag@physx@@I@2@@Z1140x1800020c0
                      ?setMaterials@PxShapeMaterialsPropertyHelper@physx@@QEBAXPEAVPxShape@2@PEBQEAVPxMaterial@2@G@Z1150x180099080
                      ?setTriangleMeshCacheSizeHint@PxParticleGpu@physx@@SA_NAEBVPxScene@2@I@Z1160x180002740
                      ?setValidParticleRange@PxParticleDeviceExclusive@physx@@SAXAEAVPxParticleBase@2@I@Z1170x180002070
                      ?unregisterPhysXIndicatorGpuClient@PxPhysXIndicatorDeviceExclusive@physx@@SAXAEAVPxPhysics@2@@Z1180x1800027b0
                      PxAddCollectionToPhysics1190x180057ce0
                      PxCreateBasePhysics1200x1800582b0
                      PxGetPhysics1210x1800573c0
                      PxGetPhysicsBinaryMetaData1220x180056ba0
                      PxGetValue1230x1800574c0
                      PxRegisterArticulations1240x1800573d0
                      PxRegisterCloth1250x180057430
                      PxRegisterHeightFields1260x180057410
                      PxRegisterParticles1270x1800574a0
                      PxRegisterPhysicsSerializers1280x18007d7d0
                      PxRegisterUnifiedHeightFields1290x1800573f0
                      PxSetPhysXDelayLoadHook1300x1800029f0
                      PxUnregisterPhysicsSerializers1310x18007ced0

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 3, 2024 08:52:10.838715076 CEST62029443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:10.838749886 CEST4436202920.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:10.838805914 CEST62029443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:10.839267969 CEST62028443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:10.839307070 CEST4436202820.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:10.839360952 CEST62028443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:10.848840952 CEST62029443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:10.848856926 CEST4436202920.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:10.850344896 CEST62028443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:10.850377083 CEST4436202820.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:11.753818035 CEST4436202920.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:11.753897905 CEST62029443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.754620075 CEST4436202820.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:11.754703045 CEST62028443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.756781101 CEST62028443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.756803989 CEST4436202820.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:11.757062912 CEST62029443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.757065058 CEST4436202820.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:11.757075071 CEST4436202920.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:11.757539034 CEST4436202920.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:11.811851978 CEST62029443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.811850071 CEST62028443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.832851887 CEST62029443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.833302975 CEST62029443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.833832979 CEST62028443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:11.834187031 CEST62028443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:12.198148966 CEST62031443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:12.198200941 CEST4436203120.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:12.198306084 CEST62031443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:12.199111938 CEST62031443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:12.199139118 CEST4436203120.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:12.950671911 CEST4436203120.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:12.950748920 CEST62031443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:13.010773897 CEST62031443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:13.010812998 CEST4436203120.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:13.011225939 CEST4436203120.189.173.20192.168.2.6
                      Sep 3, 2024 08:52:13.061985970 CEST62031443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:13.102636099 CEST62031443192.168.2.620.189.173.20
                      Sep 3, 2024 08:52:13.105403900 CEST62031443192.168.2.620.189.173.20

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 3, 2024 08:52:10.298291922 CEST53605381.1.1.1192.168.2.6

                      HTTP Request Dependency Graph

                      • umwatson.events.data.microsoft.com

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.66202920.189.173.204431216C:\Windows\System32\WerFault.exe
                      TimestampBytes transferredDirectionData
                      2024-09-03 06:52:11 UTC1095OUTPOST /Telemetry.Request HTTP/1.1
                      Connection: Keep-Alive
                      User-Agent: MSDW
                      MSA_DeviceTicket: t=EwC4AlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAQyg8H+MiVJLWrz+37vl39K3viEE+QDKimjcn5yLEy4neGbfIfqJH0L5JXwDH173Eklccd6rQLc5NLe/Zj++1xo74v7b29oAO13UrUtkRs27T7MPgx5+N3pXEdwLsB/dHlO51aRroIbnvneeqDvlSSCo19HGSqAjrd5T2VDUZb3AmrbEaP4kKJn81eyAhLCc5I4EpyQA2UPY5kCkd8bJVTSMBFujLLRR1E2RDeaZMrdKGn1X+HIuSDU3thmQ2DgbXIAh6fXgoBsRXsGcLIvJuqSM1ADckPUJsjelgSxbHpfNQRhW5DX+K2yd07bqUTGoJnfNkLl3yPT9730z7Xz4tMcQZgAAEEF8SyVBPtK4Enw+/lVLF1CAAV/VJjPV/T0EBHUIWTQp/xjhje+5wq9ETN1PMITyThMf8dYvy7VAv2bw7mUAkXsgFDma3MHZJP0aUHnBEyEL9Ul0+XyaivVId2/AfsWKtPQHdM2th/yLCgNkox++RanqsbyXMJaDNuQBwS2gNHgit5sAjt5vcZPbF4urLShEV0p/RUcrxn9j2vD5T6MQJTpHcrCeqRwjLfEllSVD40c4CppuBxlzFZ77XZxT2qZ0OCH8P54AlxdMpkshSwCy9TA+0BDgQaVw2jMd+QOXEXP3BzcrnQgS0sesR/oqNmmu0WtdP8EuKWPjoIpdvGI2bH0SyUAHTmrQiXzCUH25WpAFD3NaDmvHd05VmLe6xw4i4GWYHYbhi+oStpBO7Um0Pv0UPx0kmKIjOqz4avMQsdbq0eD6m8i4L4jER07YWpXOkL9c+uc5yzjwI7L+c+qS658foNjfiX71dYcfWBnVO2aXSLXtRfcjwB9vBS1ODknjFxag7mIOWs3DAXsr/BxHjRnfurUB&p=
                      Content-Length: 4758
                      Host: umwatson.events.data.microsoft.com


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.66202820.189.173.204432632C:\Windows\System32\WerFault.exe
                      TimestampBytes transferredDirectionData
                      2024-09-03 06:52:11 UTC1095OUTPOST /Telemetry.Request HTTP/1.1
                      Connection: Keep-Alive
                      User-Agent: MSDW
                      MSA_DeviceTicket: t=EwC4AlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAUvRh0mjtWpWcEpLpY6AwBGhNQJzvZrxexMuylVB4adz8U60TrBAXbZZH/lAgM64z/4R9BFssZpcQ/Fh9Ocpbv90ZNYr3TLKWO4Td98yzRulXPSTW7xqq3KIPrq/DkthCLsCDUUdAObtaGLtFj4ju13Yfvc0UT/fvm8bpa30d0tbsZAzKPpEGk4rXm2/VfFk8bgCr3RU3+459/dhCATcgbwG2+Ee2g49CdQ1bf7CxdxfqXZn0K7FbuIsWRDkdmf7+ifY0u93U/icToYayjQrEbeiaOkdWogLcm/vY2B7CYkMHqV23LoiFQ94blJ1+wSTQM9Fzu9Za30SMGrCJTzSdEkQZgAAEN0gTq86oGnOweup4cn1Q+eAAc+/1Cq9txyRZv5IM0gJ5n1URj21C8sgRWK/0l3XXWnKeoCU+hkoPA2DYTGsOgeKfbBiFJV6L15s9pix+s5mLmoNOVq15Qb7FWHqEHOU8EuU3NCNN2GnmaeW7I9Ua+cY8dKkE9aJ4uMtGYdw2Avt5y3uI7fh1iFda2DwyEErdSemF90z+6IwVV6D9NkbjJjTbK+DL6CygCbVHD7G1n4I4aLSCaygl6Q97Y0XdNbqfyW43Lkrse8cyaawIxaDTWRMxs+8iTsp3gltxkKxO81B51/7dZlZOQ9kAdLRPXIzfCn2V4KgiQO13fxc0BICTMRtQVIyLASQKzpGQ16X1N+diZ0d7u9l2d9y0olj82+dArN94QVAD7U+ox57HyZucS+5+g8Yk9eNBO0jDgzJe8so/W/rJAiGmOYsXiKGmitIuItyVtt3utaVllpLykYKMM845728qwWsFckpvwfyzcfXU9S0sR+jhNwMnQCOiM5EpzWCnNDd12XiCvniy1AqXyPqqLUB&p=
                      Content-Length: 4758
                      Host: umwatson.events.data.microsoft.com


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.66203120.189.173.20443616C:\Windows\System32\WerFault.exe
                      TimestampBytes transferredDirectionData
                      2024-09-03 06:52:13 UTC1095OUTPOST /Telemetry.Request HTTP/1.1
                      Connection: Keep-Alive
                      User-Agent: MSDW
                      MSA_DeviceTicket: t=EwC4AlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAW0V1KrU5htiO6rmrGN2NuOInu2A1twKjz4d65cwjPXcFNVbkAVhUGsAHsmg7gwp0LFak5OweYmr+42dKq9GDGkFn0ySIqJwr81CxUjXE0SJG4ERhOY+0eAVzAeuyjGVmQrLM7opT2kKYfS6EwMB30cQOsgrwC/j78S9eBToS0QLETBNRT48aZWNXWiI17AiBH3luM/t4aH8STi+YhFo3alO4oxgn+5fT6xkKnUNF7Az8t/uDLI2D3pZdkiIY6TasFea5WLgUfpzbw7ZJV7DN3oDFCy6Xzi3vmxprrUeWUoCaCSfsyhCKPy1L5q5m9LqKRrA/N4OPYYjpcACgKSWtbUQZgAAECKtiVIMUrzPUt70lI33DS+AAUTK/BxWmdQIrElOhoO62h1idosdJsbZg/5AlgcB4dTiEdGrJWsUY7i+0hHRXQJGudB/gegODeT5hpHYc60FhPBekE6Hr7Aax2BkJYBbUOW0GiNWJx7dq0goLQ6UqEbTIjGTLDO6XLu/OYo2xsv0k7bbo8xRYtxBlnD6rJY7Le0drxUxtiatnh+w7p7M9vN44N4HyQ12JMRfRV07Ap/BWM6aKXJ0Zf1uHrtihleh3rws8fusWMsXeYHjm1nY9NdEmAPHWvS9jD0kBM5hmCP6ndta4e7bkFH5/pky6sP9OfOdjQ62Up4KMyGd4Er+pxq+Cvg0PJfjUWAmJ5K8qFtTVln2aqro15CYvyAqFoyaQPg3oOavGycqrbSNuqBm4hQdT/eQlSDEtf6bi7XNViGNL7/f1wrzUe3g7q0avzkQmLTBD71lpvatmG6U9QfhE8bvE3YansGuUap5MsbxXCW5X+50twa6Q1v3vpxxTwC5R2CUskoXxy+zwKPcgIGU7wtiT7UB&p=
                      Content-Length: 4758
                      Host: umwatson.events.data.microsoft.com


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:02:52:05
                      Start date:03/09/2024
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll"
                      Imagebase:0x7ff7969e0000
                      File size:165'888 bytes
                      MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:1
                      Start time:02:52:05
                      Start date:03/09/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff66e660000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:2
                      Start time:02:52:05
                      Start date:03/09/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1
                      Imagebase:0x7ff73abd0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:02:52:05
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseAddsProperty@physx@@QEAA@XZ
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:02:52:05
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",#1
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:02:52:05
                      Start date:03/09/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 2188 -s 324
                      Imagebase:0x7ff6e7fb0000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:02:52:05
                      Start date:03/09/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 4952 -s 324
                      Imagebase:0x7ff6e7fb0000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:11
                      Start time:02:52:08
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZ
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:02:52:08
                      Start date:03/09/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 3704 -s 320
                      Imagebase:0x7ff6e7fb0000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:14
                      Start time:02:52:11
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\9VYSw7MFa8.dll,??0NbCCDPairsProperty@physx@@QEAA@XZ
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:16
                      Start time:02:52:11
                      Start date:03/09/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 6684 -s 316
                      Imagebase:0x7ff6e7fb0000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:17
                      Start time:02:52:14
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbBroadPhaseAddsProperty@physx@@QEAA@XZ
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:18
                      Start time:02:52:14
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbBroadPhaseRemovesProperty@physx@@QEAA@XZ
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:20
                      Start time:02:52:14
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",??0NbCCDPairsProperty@physx@@QEAA@XZ
                      Imagebase:0x7ff66e660000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:22
                      Start time:02:52:14
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxUnregisterPhysicsSerializers
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:23
                      Start time:02:52:14
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxSetPhysXDelayLoadHook
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:25
                      Start time:02:52:14
                      Start date:03/09/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 6872 -s 324
                      Imagebase:0x7ff6e7fb0000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:26
                      Start time:02:52:14
                      Start date:03/09/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 3352 -s 316
                      Imagebase:0x7ff6e7fb0000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:27
                      Start time:02:52:14
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterUnifiedHeightFields
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:29
                      Start time:02:52:15
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterPhysicsSerializers
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:30
                      Start time:02:52:15
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterParticles
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:31
                      Start time:02:52:15
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterHeightFields
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:32
                      Start time:02:52:15
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterCloth
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:35
                      Start time:02:52:15
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxRegisterArticulations
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:36
                      Start time:02:52:15
                      Start date:03/09/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 2244 -s 316
                      Imagebase:0x7ff6e7fb0000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:37
                      Start time:02:52:15
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxGetValue
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:41
                      Start time:02:52:16
                      Start date:03/09/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\9VYSw7MFa8.dll",PxGetPhysicsBinaryMetaData
                      Imagebase:0x7ff65b800000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Disassembly

                      Reset < >

                        Non-executed Functions

                        Function 00007FFD947D13A0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 43libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D13BC
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D142B
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D1446
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D1461
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3466469210.00007FFD945D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD945D0000, based on PE: true
                        • Associated: 00000000.00000002.3466454846.00007FFD945D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3466662537.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3466703874.00007FFD94880000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3466728550.00007FFD9488E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3466757435.00007FFD948B1000.00000010.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3466776304.00007FFD948B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ffd945d0000_loaddll64.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule
                        • String ID: 87831852-86F1-4d65-B1F9-C0B24E435096$PhysXUpdateLoader64.dll$createCudaContextManagerDLL$getSuggestedCudaDeviceOrdinalDLL$setFoundationInstance
                        • API String ID: 667068680-2122775079
                        • Opcode ID: e66880e060c8b3457f6e2d4e3eb145d96531cd86d145d2ecb5e08b73685abb97
                        • Instruction ID: 4ef5d37919eee14f16ec6a023410ad74979cbe6195e6478fbd3ab4583e9d14e9
                        • Opcode Fuzzy Hash: e66880e060c8b3457f6e2d4e3eb145d96531cd86d145d2ecb5e08b73685abb97
                        • Instruction Fuzzy Hash: 2121C525F09B0791EEA0DF84F8E82742364BF4AB84B488535C86E16366EF7CE149C340

                        Non-executed Functions

                        Function 00007FFD947D13A0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 43libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D13BC
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D142B
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D1446
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D1461
                        Strings
                        Memory Dump Source
                        • Source File: 0000001B.00000002.2348771146.00007FFD945D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD945D0000, based on PE: true
                        • Associated: 0000001B.00000002.2348748669.00007FFD945D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 0000001B.00000002.2349023947.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 0000001B.00000002.2349071445.00007FFD94880000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 0000001B.00000002.2349129431.00007FFD94884000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 0000001B.00000002.2349160694.00007FFD94885000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 0000001B.00000002.2349186625.00007FFD94889000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 0000001B.00000002.2349225185.00007FFD9488E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 0000001B.00000002.2349267703.00007FFD948B1000.00000010.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 0000001B.00000002.2349354370.00007FFD948B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_27_2_7ffd945d0000_rundll32.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule
                        • String ID: 87831852-86F1-4d65-B1F9-C0B24E435096$PhysXUpdateLoader64.dll$createCudaContextManagerDLL$getSuggestedCudaDeviceOrdinalDLL$setFoundationInstance
                        • API String ID: 667068680-2122775079
                        • Opcode ID: e66880e060c8b3457f6e2d4e3eb145d96531cd86d145d2ecb5e08b73685abb97
                        • Instruction ID: 4ef5d37919eee14f16ec6a023410ad74979cbe6195e6478fbd3ab4583e9d14e9
                        • Opcode Fuzzy Hash: e66880e060c8b3457f6e2d4e3eb145d96531cd86d145d2ecb5e08b73685abb97
                        • Instruction Fuzzy Hash: 2121C525F09B0791EEA0DF84F8E82742364BF4AB84B488535C86E16366EF7CE149C340

                        Non-executed Functions

                        Function 00007FFD947D13A0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 43libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D13BC
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D142B
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D1446
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FFD9466A332,?,?,?,?,00007FFD945D109E), ref: 00007FFD947D1461
                        Strings
                        Memory Dump Source
                        • Source File: 00000020.00000002.2330293152.00007FFD945D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFD945D0000, based on PE: true
                        • Associated: 00000020.00000002.2330269735.00007FFD945D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000020.00000002.2330646380.00007FFD9482B000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000020.00000002.2330688095.00007FFD94880000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000020.00000002.2330706145.00007FFD94889000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000020.00000002.2330732286.00007FFD9488E000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000020.00000002.2330757228.00007FFD948B1000.00000010.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000020.00000002.2330775900.00007FFD948B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_32_2_7ffd945d0000_rundll32.jbxd
                        Similarity
                        • API ID: AddressProc$HandleModule
                        • String ID: 87831852-86F1-4d65-B1F9-C0B24E435096$PhysXUpdateLoader64.dll$createCudaContextManagerDLL$getSuggestedCudaDeviceOrdinalDLL$setFoundationInstance
                        • API String ID: 667068680-2122775079
                        • Opcode ID: 15369fa08224e32d7e22a9f7c156b9fc48b3fa6c1bd24625aa1af6b0629ea753
                        • Instruction ID: 4ef5d37919eee14f16ec6a023410ad74979cbe6195e6478fbd3ab4583e9d14e9
                        • Opcode Fuzzy Hash: 15369fa08224e32d7e22a9f7c156b9fc48b3fa6c1bd24625aa1af6b0629ea753
                        • Instruction Fuzzy Hash: 2121C525F09B0791EEA0DF84F8E82742364BF4AB84B488535C86E16366EF7CE149C340