Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6v8QbANftP.exe

Overview

General Information

Sample Name:6v8QbANftP.exe
Analysis ID:460783
MD5:d2d3438e61d5dcd688652f3f9a67acdf
SHA1:e5ef89d044944987a23578ed102eb584f58371ae
SHA256:67cd12a71d272aac15500b452bfc4c3228e0b7120ba75a19543257b7223b2ce0
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious ftp.exe
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • 6v8QbANftP.exe (PID: 6644 cmdline: 'C:\Users\user\Desktop\6v8QbANftP.exe' MD5: D2D3438E61D5DCD688652F3F9A67ACDF)
    • WerFault.exe (PID: 6884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 864 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 900 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 952 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 952 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious ftp.exeShow sources
Source: Process startedAuthor: Victor Sergeev, oscd.community: Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 864, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 864, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: 'C:\Users\user\Desktop\6v8QbANftP.exe' , ParentImage: C:\Users\user\Desktop\6v8QbANftP.exe, ParentProcessId: 6644, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 864, ProcessId: 6884

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 6v8QbANftP.exeVirustotal: Detection: 57%Perma Link
Source: 6v8QbANftP.exeReversingLabs: Detection: 71%
Machine Learning detection for sampleShow sources
Source: 6v8QbANftP.exeJoe Sandbox ML: detected
Source: 4.2.WerFault.exe.5a80000.14.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 8.2.WerFault.exe.52f0000.14.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 22.2.WerFault.exe.5700000.12.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 13.2.WerFault.exe.4f40000.15.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 6v8QbANftP.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknownHTTPS traffic detected: 172.67.150.157:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.150.157:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: Binary string: msacm32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbB source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdbQ source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: msg711.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.682649693.00000000036A2000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb" source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: msacm32.pdb- source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: imaadp32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbs source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbB source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdby source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: msadp32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: tdh.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb) source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: msadp32.pdbB source: WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb% source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb/ source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780849181.0000000004E31000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834490121.00000000052B1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbc source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbu source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbc source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb9 source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdby source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb] source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: userenv.pdbU source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: version.pdb3 source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb8 source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb6 source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: AppxSip.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb; source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdb& source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdbK source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: OpcServices.pdbo source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbG source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdbR source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb5 source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdbS source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: AppxSip.pdb! source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdbW source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbA source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbB source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: OpcServices.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb/ source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: l3codeca.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb+ source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: l3codeca.pdb2 source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbk source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000003.680610639.000000000542D000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.758596051.000000000458E000.00000004.00000001.sdmp
Source: Binary string: mintdh.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.682649693.00000000036A2000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdbe source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbd source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb$ source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: msgsm32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: l3codeca.pdb source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724057240.00000000052D4000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb< source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdba source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724057240.00000000052D4000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb? source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Joe Sandbox ViewJA3 fingerprint: fd80fa9c6120cdeea8520510f3c644ac
Source: unknownDNS traffic detected: queries for: nikolakigreate.live
Source: 6v8QbANftP.exe, 00000000.00000000.665546017.0000000001610000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
Source: 6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: 6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxversion6.1.6needs_syncnever_activated_since_loadedpat
Source: 6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpString found in binary or memory: https://test.com/
Source: 6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpString found in binary or memory: https://test.com/session.restore_on_startupsession.startup_urlssuper_mac
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownHTTPS traffic detected: 172.67.150.157:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.150.157:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: C:\Users\user\Desktop\6v8QbANftP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 864
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe, 00000000.00000000.703135729.0000000003230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsadp32.acm.muij% vs 6v8QbANftP.exe
Source: 6v8QbANftP.exe, 00000000.00000000.711135259.0000000003260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsfltr32.acm.muij% vs 6v8QbANftP.exe
Source: 6v8QbANftP.exe, 00000000.00000000.673114834.0000000003240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsg711.acm.muij% vs 6v8QbANftP.exe
Source: 6v8QbANftP.exe, 00000000.00000000.667123096.0000000003250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsgsm32.acm.muij% vs 6v8QbANftP.exe
Source: 6v8QbANftP.exe, 00000000.00000000.665546017.0000000001610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamel3codec.acm.muif# vs 6v8QbANftP.exe
Source: 6v8QbANftP.exe, 00000000.00000000.709913562.0000000001570000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameimaadp32.acm.muij% vs 6v8QbANftP.exe
Source: 6v8QbANftP.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: 6v8QbANftP.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal52.winEXE@5/16@3/1
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6644
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D24.tmpJump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 6v8QbANftP.exeVirustotal: Detection: 57%
Source: 6v8QbANftP.exeReversingLabs: Detection: 71%
Source: unknownProcess created: C:\Users\user\Desktop\6v8QbANftP.exe 'C:\Users\user\Desktop\6v8QbANftP.exe'
Source: C:\Users\user\Desktop\6v8QbANftP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 864
Source: C:\Users\user\Desktop\6v8QbANftP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 900
Source: C:\Users\user\Desktop\6v8QbANftP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 952
Source: C:\Users\user\Desktop\6v8QbANftP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 952
Source: 6v8QbANftP.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 6v8QbANftP.exeStatic file information: File size 1908736 > 1048576
Source: 6v8QbANftP.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x175000
Source: Binary string: msacm32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbB source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdbQ source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: msg711.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.682649693.00000000036A2000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb" source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: msacm32.pdb- source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: imaadp32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbs source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbB source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdby source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: msadp32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: tdh.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb) source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: msadp32.pdbB source: WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb% source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb/ source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780849181.0000000004E31000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834490121.00000000052B1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbc source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbu source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbc source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb9 source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdby source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb] source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: userenv.pdbU source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: version.pdb3 source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb8 source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb6 source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: AppxSip.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb; source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdb& source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdbK source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: OpcServices.pdbo source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbG source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdbR source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb5 source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdbS source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: AppxSip.pdb! source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdbW source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbA source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbB source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: OpcServices.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb/ source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: l3codeca.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb+ source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: l3codeca.pdb2 source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbk source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000003.680610639.000000000542D000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.758596051.000000000458E000.00000004.00000001.sdmp
Source: Binary string: mintdh.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.682649693.00000000036A2000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdbe source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbd source: WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb$ source: WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724009315.00000000052D1000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: msgsm32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: l3codeca.pdb source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724057240.00000000052D4000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724051696.00000000052D0000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781426920.0000000004E20000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834717243.00000000052A0000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.780637410.0000000004E2C000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834465311.00000000052AC000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.688396915.0000000005881000.00000004.00000001.sdmp, WerFault.exe, 00000008.00000003.723973854.0000000005131000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.781241894.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.834640141.0000000005611000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb< source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdba source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000004.00000003.688410904.0000000005A60000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724057240.00000000052D4000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781014292.0000000004E23000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834511115.00000000052A3000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb? source: WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.688418195.0000000005A67000.00000004.00000040.sdmp, WerFault.exe, 00000008.00000003.724021815.00000000052D7000.00000004.00000040.sdmp, WerFault.exe, 0000000D.00000003.781159169.0000000004E29000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.834732234.00000000052A9000.00000004.00000040.sdmp
Source: 6v8QbANftP.exeStatic PE information: section name: .data1
Source: initial sampleStatic PE information: section name: .text entropy: 7.9131965055
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: WerFault.exe, 00000004.00000002.699762611.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 00000008.00000002.728507699.0000000000ED0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.796639207.0000000004740000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.853952639.0000000005950000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000016.00000002.852953448.0000000004DCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000004.00000002.699762611.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 00000008.00000002.728507699.0000000000ED0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.796639207.0000000004740000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.853952639.0000000005950000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.699762611.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 00000008.00000002.728507699.0000000000ED0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.796639207.0000000004740000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.853952639.0000000005950000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000004.00000002.699762611.0000000005C60000.00000002.00000001.sdmp, WerFault.exe, 00000008.00000002.728507699.0000000000ED0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.796639207.0000000004740000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.853952639.0000000005950000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\6v8QbANftP.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exeProcess queried: DebugPortJump to behavior
Source: 6v8QbANftP.exe, 00000000.00000000.665605500.0000000001AE0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: 6v8QbANftP.exe, 00000000.00000000.665605500.0000000001AE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 6v8QbANftP.exe, 00000000.00000000.665605500.0000000001AE0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 6v8QbANftP.exe, 00000000.00000000.665605500.0000000001AE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\6v8QbANftP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection2Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing3LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
6v8QbANftP.exe57%VirustotalBrowse
6v8QbANftP.exe71%ReversingLabsWin32.Trojan.Bingoml
6v8QbANftP.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.2.WerFault.exe.5a80000.14.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
8.2.WerFault.exe.52f0000.14.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
22.2.WerFault.exe.5700000.12.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
13.2.WerFault.exe.4f40000.15.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

Domains

SourceDetectionScannerLabelLink
nikolakigreate.live0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.iis.fhg.de/audioPA0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
nikolakigreate.live
172.67.150.157
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://clients2.google.com/service/update2/crxversion6.1.6needs_syncnever_activated_since_loadedpat6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpfalse
    		high
    https://test.com/6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpfalse
      		high
      http://www.iis.fhg.de/audioPA6v8QbANftP.exe, 00000000.00000000.665546017.0000000001610000.00000002.00000001.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://test.com/session.restore_on_startupsession.startup_urlssuper_mac6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpfalse
        		high
        http://www.openssl.org/support/faq.html6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpfalse
          		high
          https://clients2.google.com/service/update2/crx6v8QbANftP.exe, 00000000.00000000.673820521.0000000003890000.00000004.00000001.sdmpfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            172.67.150.157
            		nikolakigreate.liveUnited States
            		13335CLOUDFLARENETUSfalse

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:460783
            Start date:06.08.2021
            Start time:16:18:18
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 37s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:6v8QbANftP.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:24
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal52.winEXE@5/16@3/1
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 52.147.198.201, 23.211.6.115, 20.82.210.154, 104.43.193.48, 67.27.157.126, 8.248.131.254, 67.27.157.254, 8.248.141.254, 8.253.207.121, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 52.255.188.83
            • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:20:40API Interceptor1x Sleep call for process: WerFault.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            CLOUDFLARENETUSDOC040821.exeGet hashmaliciousBrowse
            • 172.67.188.138
            FC73GQTY0090TWI.exeGet hashmaliciousBrowse
            • 172.67.160.130
            Referans iin orijinal nakliye belgeleri.xls.exeGet hashmaliciousBrowse
            • 104.21.19.200
            Payment Advice.exeGet hashmaliciousBrowse
            • 104.21.19.200
            QRT02135.exeGet hashmaliciousBrowse
            • 172.67.160.130
            FC73GQTY0090TWMNA.exeGet hashmaliciousBrowse
            • 104.18.6.156
            Invoicel-datasheet.exeGet hashmaliciousBrowse
            • 104.18.7.156
            Devis.exeGet hashmaliciousBrowse
            • 104.21.19.200
            FX-Transfer-Form.xlsxGet hashmaliciousBrowse
            • 23.227.38.74
            Po 08062021.exeGet hashmaliciousBrowse
            • 104.21.19.200
            ASM9WQK4L9.exeGet hashmaliciousBrowse
            • 104.21.19.200
            yyyy.exeGet hashmaliciousBrowse
            • 104.23.98.190
            CTP0cLlCLh.exeGet hashmaliciousBrowse
            • 104.21.87.184
            EGBl6IQ92a.exeGet hashmaliciousBrowse
            • 104.21.14.85
            BOQ-DOU-2021-09-02.exeGet hashmaliciousBrowse
            • 172.67.188.154
            LIST.KRT.exeGet hashmaliciousBrowse
            • 104.16.14.194
            Transfer receipt Copy 1038690332210516.exeGet hashmaliciousBrowse
            • 172.67.188.154
            Facilities_Payment_Remittance_Advice.htmGet hashmaliciousBrowse
            • 104.21.50.81
            SecuriteInfo.com.ArtemisF25F629DE8FD.21928.exeGet hashmaliciousBrowse
            • 104.21.19.200
            4KLT0900000.exeGet hashmaliciousBrowse
            • 104.21.19.200

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            fd80fa9c6120cdeea8520510f3c644acspjYwLgrAT.exeGet hashmaliciousBrowse
            • 172.67.150.157
            spjYwLgrAT.exeGet hashmaliciousBrowse
            • 172.67.150.157
            egGgMixHNS.exeGet hashmaliciousBrowse
            • 172.67.150.157
            egGgMixHNS.exeGet hashmaliciousBrowse
            • 172.67.150.157
            5KYnVcv9cf.exeGet hashmaliciousBrowse
            • 172.67.150.157
            5KYnVcv9cf.exeGet hashmaliciousBrowse
            • 172.67.150.157
            pjjaluln.exeGet hashmaliciousBrowse
            • 172.67.150.157
            KMSPico 11.1.2.exeGet hashmaliciousBrowse
            • 172.67.150.157

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_6v8QbANftP.exe_688edab69f7ff65bdccb9775bfc9ed6983279f0_57fa7400_1276ab73\Report.wer
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):14222
            Entropy (8bit):3.771404850198711
            Encrypted:false
            SSDEEP:192:+nK38s4Hzv+6jic5nBWMj/u7sAS274It17U:d4zv+6j9j/u7sAX4IthU
            MD5:3FE1F7464BFC6CBA5AEF41376FA76594
            SHA1:3A7E59267B74DFE4EE400615B256A513618C159E
            SHA-256:DE4233F5196583EDE9B829B40250E7D7644D9FB8F2BB8D8CAFC857DDF9FFA6B1
            SHA-512:23F203E854635450B795B8B9FAF408B8789F2E7C74C3E6CA50D88E7BE2054210960ECF81BAE00EFBB0C398C64D3251B6D25104910A511CA0D0609286E5931611
            Malicious:true
            Reputation:low
            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.7.3.3.2.3.1.1.3.8.3.3.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.2.7.3.3.2.3.9.1.8.5.1.8.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.b.4.7.0.b.9.-.f.2.3.9.-.4.e.2.3.-.8.2.7.6.-.9.d.8.5.9.3.8.1.8.9.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.9.e.1.e.6.c.-.e.c.4.c.-.4.9.5.7.-.9.5.9.d.-.5.f.c.c.e.2.1.0.b.7.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.v.8.Q.b.A.N.f.t.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.4.-.0.0.0.1.-.0.0.1.b.-.0.a.e.f.-.1.6.0.7.c.e.8.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.e.1.2.3.d.9.6.6.8.9.e.1.f.9.e.d.d.b.4.3.3.8.7.d.6.4.9.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.e.f.8.9.d.0.4.4.9.4.4.9.8.7.a.2.3.5.7.8.e.d.1.0.2.e.b.5.8.4.f.5.8.3.7.1.a.e.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.
            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6v8QbANftP.exe_9b29693fc10432de851c441d683116a9f61e8_57fa7400_01edcc4e\Report.wer
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):13292
            Entropy (8bit):3.774250915721966
            Encrypted:false
            SSDEEP:192:tK35gH56rojic5nBWMJ/u7sbS274Ite7E:Im56roj9J/u7sbX4ItEE
            MD5:97867316820D65C2848A194F4591095D
            SHA1:B1135A2FEC450FB941EB62C10FC75FA875D470D5
            SHA-256:58D57487C030C1D7CE6C6D179D0998B6C26A9682FE3B1F3F2042BFD8E552C445
            SHA-512:CA87B894ECBF25A2AD022228657940A068DD9926F7E58FB95CB33992C267E33E1E2390EF79707EE0B2E416483F43B157B4AE57FAAC86FDD033D9D13556BCDC5F
            Malicious:true
            Reputation:low
            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.7.3.3.1.7.9.9.6.2.0.9.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.8.f.9.1.d.3.-.f.1.b.b.-.4.d.c.a.-.9.c.4.9.-.0.9.9.b.c.2.8.4.b.8.9.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.5.7.c.6.f.3.-.5.e.0.b.-.4.d.3.e.-.b.0.3.d.-.5.f.f.f.4.2.b.5.8.9.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.v.8.Q.b.A.N.f.t.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.4.-.0.0.0.1.-.0.0.1.b.-.0.a.e.f.-.1.6.0.7.c.e.8.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.e.1.2.3.d.9.6.6.8.9.e.1.f.9.e.d.d.b.4.3.3.8.7.d.6.4.9.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.e.f.8.9.d.0.4.4.9.4.4.9.8.7.a.2.3.5.7.8.e.d.1.0.2.e.b.5.8.4.f.5.8.3.7.1.a.e.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.7././.2.5.:.0.5.:.3.9.:.0.8.!.0.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....B.o.o.t.I.d.=.4.
            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6v8QbANftP.exe_9b29693fc10432de851c441d683116a9f61e8_57fa7400_19ce421a\Report.wer
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):13722
            Entropy (8bit):3.770332545672283
            Encrypted:false
            SSDEEP:192:jK3rgH56rojic5nBWM2/u7sbS274Ite7h:Gc56roj92/u7sbX4ItEh
            MD5:347D56B55672D6EE8325ED220A8634B8
            SHA1:3B9BF4EE5450C3AD0BC52E7CA63BF1326B79D0BA
            SHA-256:59CC637CBDEAC37B01CACE960BB1DF4F61F996C0DDE08F06B55091757E0D485C
            SHA-512:893D704FD9A8FCE61F23B2D4885B1144C47D3935CC82806CEDC4289D740AC0C4C120B76FD6220F1F46D7AB49DF46222301B16C6FE1B3C283DD2A4DF4B70371F0
            Malicious:true
            Reputation:low
            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.7.3.3.2.0.1.7.6.3.0.1.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.6.f.e.a.f.e.-.2.1.e.9.-.4.7.8.4.-.8.f.d.d.-.1.9.e.b.4.3.f.0.3.b.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.5.f.1.f.a.7.-.3.4.0.0.-.4.8.1.c.-.b.0.1.1.-.4.6.0.7.8.9.a.9.f.a.3.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.v.8.Q.b.A.N.f.t.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.4.-.0.0.0.1.-.0.0.1.b.-.0.a.e.f.-.1.6.0.7.c.e.8.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.e.1.2.3.d.9.6.6.8.9.e.1.f.9.e.d.d.b.4.3.3.8.7.d.6.4.9.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.e.f.8.9.d.0.4.4.9.4.4.9.8.7.a.2.3.5.7.8.e.d.1.0.2.e.b.5.8.4.f.5.8.3.7.1.a.e.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.7././.2.5.:.0.5.:.3.9.:.0.8.!.0.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....B.o.o.t.I.d.=.4.
            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6v8QbANftP.exe_9b29693fc10432de851c441d683116a9f61e8_57fa7400_1bf99149\Report.wer
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):13328
            Entropy (8bit):3.773978276350042
            Encrypted:false
            SSDEEP:192:2K3VgH56rojic5nBWMJ/u7sbS274Ite7S:1y56roj9J/u7sbX4ItES
            MD5:C4D053D075E4C4133D95888A28AE2A86
            SHA1:B07C676500A96C5FF760471042336FD2367B1B60
            SHA-256:C0C468A85AC844CCE70654484A37C4FC1BF74489A97231A50B78303A7F15BE8C
            SHA-512:5DEDE90981EEB2C7DC5DD7D0771722A047EA67730C2F987CC43D41249A99AC99672DA11211533812393B3505F7A2A9F270188C47D071418205332F84F1A35691
            Malicious:true
            Reputation:low
            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.7.3.3.1.6.3.4.9.8.7.4.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.d.5.4.3.6.f.-.a.6.b.1.-.4.0.d.d.-.9.6.7.9.-.9.6.7.0.a.b.1.d.8.6.9.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.b.e.f.f.2.a.c.-.d.2.c.0.-.4.5.9.2.-.a.9.a.f.-.5.3.9.a.5.6.3.4.0.c.a.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.v.8.Q.b.A.N.f.t.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.4.-.0.0.0.1.-.0.0.1.b.-.0.a.e.f.-.1.6.0.7.c.e.8.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.e.1.2.3.d.9.6.6.8.9.e.1.f.9.e.d.d.b.4.3.3.8.7.d.6.4.9.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.e.f.8.9.d.0.4.4.9.4.4.9.8.7.a.2.3.5.7.8.e.d.1.0.2.e.b.5.8.4.f.5.8.3.7.1.a.e.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.7././.2.5.:.0.5.:.3.9.:.0.8.!.0.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....B.o.o.t.I.d.=.4.
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER129E.tmp.dmp
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 15 streams, Fri Aug 6 14:20:08 2021, 0x1205a4 type
            Category:dropped
            Size (bytes):73922
            Entropy (8bit):2.1077711881811925
            Encrypted:false
            SSDEEP:384:fS1zjyrUgou2T1V1IeNK1HbFMqp2sSp3445+vBn:wzjyr0VV13NSH2qp2sk4W+R
            MD5:BA9DD7CF31350DFB7F0A72614F1BEBDA
            SHA1:D1CE4AE8293076E8E5FA8235C75A566F0A0D30B2
            SHA-256:2FF27CE5909D20287A20E712E55EF051753E772668641B16DADF3D92BD911D98
            SHA-512:510CA93F1D14E53AA80B84547E19E4CC4D5A932AA4732A46CA122E11E2127E49B72D1B6438A9847C5B69C918B8300B002FAA850C9B3077A72571C08110383453
            Malicious:false
            Reputation:low
            Preview: MDMP....... ........E.a...................U...........B......p'......GenuineIntelW...........T............D.a.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FFB.tmp.WERInternalMetadata.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8364
            Entropy (8bit):3.7053550900160936
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNive69Gx6YrQSU4EEgmfTSQ+pBP89b727wsf0FJm:RrlsNiW6C6YsSU4EEgmfTSu74fv
            MD5:6DDD26F24F051F5EE953E4B95822B9DB
            SHA1:B62E17E7303A733A16245A18EA7BE84E06A2C3CC
            SHA-256:2A4E916687F7C0566516FC1CABBD7A56D7B9EB6D25006F8382320769C8ECC575
            SHA-512:41D037BC1D12F28E4996B76787568D17D5A0DCE9EA5675397BD2687A850098AB59A51D6BD1DAD8478787408C05BA81D018990C37A593F92468D955B4B0444EE7
            Malicious:false
            Reputation:low
            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.4.<./.P.i.d.>.......
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3981.tmp.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4603
            Entropy (8bit):4.502112027646357
            Encrypted:false
            SSDEEP:48:cvIwSD8zsUJgtWI9caWSC8Bws8fm8M4JuStZFl+q8d8zFQbO34x3d:uITfSjbSNOJXhnFQy4x3d
            MD5:C9067B5FC547492E6085891F819D48BC
            SHA1:88133C36CAB555193428134EC174BB2CC8F85774
            SHA-256:EE48D7CEE4407E6125113B0A71FA236739E3EEBA46897AF43FDF8356D71740D5
            SHA-512:869CA940E8F492F7AB67589C14842792690B0C4F1823F9193F832F255932CCF23458B867A09F2735D1CED2E54CE43327A453813658392B705361926E28E52059
            Malicious:false
            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1110210" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D24.tmp.dmp
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Fri Aug 6 14:19:25 2021, 0x1205a4 type
            Category:dropped
            Size (bytes):61286
            Entropy (8bit):2.3292487248930747
            Encrypted:false
            SSDEEP:384:FIAzHSmrjiAtyeQU62V1IeukJUnVkCDD/rh6LSnp:LzHSm6Aty7uV13ukWqCDD96LSp
            MD5:F3A57CEBAE096F7FF6819B466E9F466A
            SHA1:E11A68A3E83AC028A0F8E33C945C91EA3D16DADC
            SHA-256:1F505E70236A6357B680FEFBC76A89369D61984E504E68A8BA8B36EF6B824D8D
            SHA-512:4331F0451B50D1D2AC528EF75F317EDC0E5D009E4D71DC95411B26A4EC4919DB48297525588A589F0D2D4A29D110BC7F0CA991907FB17C18A2BB4A5C5F1674F3
            Malicious:false
            Preview: MDMP....... ........D.a...................U...........B.......$......GenuineIntelW...........T............D.a.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER855D.tmp.dmp
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 15 streams, Fri Aug 6 14:20:33 2021, 0x1205a4 type
            Category:dropped
            Size (bytes):67014
            Entropy (8bit):2.137232023703084
            Encrypted:false
            SSDEEP:384:C0WzXZheiV1Ie0mcHbFMqpQpgs/7y6LmbO:wzXrV130XH2qp+gsTyemy
            MD5:33603F231A5DE6CAFAE4AFC7B1117090
            SHA1:673E5F387DE38D836249C1A837D67053DB7F2425
            SHA-256:27C688DB84DFCB0103155B8E3BDE7A4CAB68C2332CA31A4F204C7B166F5D6B7A
            SHA-512:AB3C357A134923A9CD12905B35CF460EF568284F390259F47416C3B6973E2658E46FDA6B44663C29DC715E1AA8325469F6DBBBFAC04291798602D3CA27A53B0F
            Malicious:false
            Preview: MDMP....... .......1E.a...................U...........B......p'......GenuineIntelW...........T............D.a.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER861E.tmp.WERInternalMetadata.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8358
            Entropy (8bit):3.704591017466626
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNivq6/6YrOSUoElgmfTSQ+pBG89bc27wsfv0m:RrlsNiS6/6YiSUoElgmfTSBc4f5
            MD5:4F67BBA545A70E128ABE261A217B1535
            SHA1:F80E7D72C5C8704F4C9D7ECCAA804C889438D179
            SHA-256:EF61F8C59040F4EE16C07F932152C731EB686198A6DA72C4E95B4E5B34CF8505
            SHA-512:491A820AD46B1B28ACBF2B3AC159A8ABECFD209A460953774A6C94F7B63E11BE67282A369E4AB91C7B4F4676FFF5386C83E79A795A54EC275A4264C699D420FF
            Malicious:false
            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.4.<./.P.i.d.>.......
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER88DE.tmp.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4603
            Entropy (8bit):4.5032227760502135
            Encrypted:false
            SSDEEP:48:cvIwSD8zsUJgtWI9caWSC8Bz8fm8M4JuStZFP+q8d8zFQbO34x3d:uITfSjbSN+JXLnFQy4x3d
            MD5:2E4F7146F0DC027D96162472B088E851
            SHA1:5C8B5A15CA401F458B9EA961678F49B1450C01BC
            SHA-256:44C5760F39562E66932A5402562802F5059072F1BCCD595F28B3D95832CB0C2F
            SHA-512:5041B1411CC20F69F5AFF388EBA8CB663786959AF7818790D3C6904C125B400498887A3592CE8507D79CF69582A3F49C2168BFB0BADBB32613C7B2DF6DC190BB
            Malicious:false
            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1110210" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER90A9.tmp.WERInternalMetadata.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8384
            Entropy (8bit):3.6960018099071297
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNivH6O6YrlSU/EggmfCSk+pDG89bd27wsfpfm:RrlsNiP6O6Y5SU/EggmfCSvd4fM
            MD5:37FF15D43E593018ABED730D1C981762
            SHA1:35597ABA17F36B09F1F8A9E8BCFBF50AD4A41223
            SHA-256:5347D6683CC0EBD62F172BC859C9EFCC0B7A47D7E4304CED297E29657B0862E2
            SHA-512:4F8745B96D20A4F4BA67A41530E28C32984A506C02EE910B50817BFD3EE61662C291EB311F00D60DB63F123BB74F5D87E381945C46DE612EB03E9DF7F3CA242A
            Malicious:false
            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.4.<./.P.i.d.>.......
            C:\ProgramData\Microsoft\Windows\WER\Temp\WER94FF.tmp.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4664
            Entropy (8bit):4.452747872200867
            Encrypted:false
            SSDEEP:48:cvIwSD8zs7JgtWI9caWSC8Bv8fm8M4JuSP2FZN3+q8vzSPaQbO34x3d:uITfVjbSNuJkJK9Qy4x3d
            MD5:B1DDC3564CE0AD8CC4B57820A723E4E1
            SHA1:D6941B90932B0102FA9CEBB0B07B5DAFB85CA628
            SHA-256:96315A6D2ECB122723912EA893E664782D536C3422EFB364D57DBC1EB916CA03
            SHA-512:927368CB5CB7E23ADF4D278CA391636A4F6E283F2EF3813FA16493A44FE1CC5DDDD7D51FD61D0167ADE422A94739C18C0E662A006D364933BDF9B528F26CDB8F
            Malicious:false
            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1110211" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD79.tmp.dmp
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Fri Aug 6 14:19:42 2021, 0x1205a4 type
            Category:dropped
            Size (bytes):65844
            Entropy (8bit):2.23124090343673
            Encrypted:false
            SSDEEP:384:x4dBzVitv/DdEU62V1IehCNzCZkFzfDBx9evbtho:yLzVit3GuV13MN3FzDxevhho
            MD5:22CFB46E0F7DEBAB8858D1E5F264A71B
            SHA1:DFADA8CB23B2086099C1963BE06515C52E4BADA0
            SHA-256:F63907CA89400E77084EDD65CEC2232A48E52FF5157038035962466D50060FCF
            SHA-512:7BBCCB7A6A6305E15ABFD8DBA8B84C8F682CFFDCF9438BA03E444AFEEF8525CC97B3EA43A5724EE2A69346EFD166990B226CD2984C6DD40811BF9CC9B81F9F47
            Malicious:false
            Preview: MDMP....... ........D.a...................U...........B.......%......GenuineIntelW...........T............D.a.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC70F.tmp.WERInternalMetadata.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8356
            Entropy (8bit):3.704907038606219
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNivu6p6Yr7SUrEBgmfTSQ+pB489b+27wsfBKm:RrlsNiW6p6YXSUrEBgmfTS7+4ft
            MD5:78AC3E5759C39CDC41D58381B3390C81
            SHA1:60588ADE94CABAF930B026AE27BDF93FF9A03749
            SHA-256:7769FDD7C82E42D2D6D155AD2F10F6037FF63459D8E635C69C04D0C27AED8508
            SHA-512:68120FB863B375CF2B525AF9FCFA4258CBE53441746760DD4A72D3803F033314944A9A962E4A8920AF16C66704D512E4D8DDE883E514446B0845D7043E14127A
            Malicious:false
            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.4.<./.P.i.d.>.......
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC904.tmp.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4603
            Entropy (8bit):4.505508842908839
            Encrypted:false
            SSDEEP:48:cvIwSD8zsUJgtWI9caWSC8Bm8fm8M4JuStZFU+q8d8zFQbO34x3d:uITfSjbSNxJXYnFQy4x3d
            MD5:6D6C920EABF4F61BE3971F1DACBC4F3D
            SHA1:3CF608C7A0D9FDD066691FC035B3726F08D9C131
            SHA-256:5827E6675C648F5E8548281B2721BE47C4990F6FBFCD1202E788E4C1F0446169
            SHA-512:57FE43575C33E6CC54C9D3C68EF321B391B3BC4E304D625BD0ECD0699F5D0CD32D29CF0BE914A5A75607482271C6C80AD030DE933BDE796EA79775E8A9D34560
            Malicious:false
            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1110210" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.573661681226388
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.83%
            • Windows Screen Saver (13104/52) 0.13%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • VXD Driver (31/22) 0.00%
            File name:6v8QbANftP.exe
            File size:1908736
            MD5:d2d3438e61d5dcd688652f3f9a67acdf
            SHA1:e5ef89d044944987a23578ed102eb584f58371ae
            SHA256:67cd12a71d272aac15500b452bfc4c3228e0b7120ba75a19543257b7223b2ce0
            SHA512:05a9ee7e6d64a62abec568a05e2a615879f331d238e1cc2a1be24e86b7bcc8aa9c0ad1d047c98dd133985164fa8721e619743fe89093da42d5f29299f11b73ef
            SSDEEP:24576:XLRorZQmsbyIISwoMmJcCW+WCwcWiNFBtTMA2gdOjBpdo6AOldmf4kQ8Xi3Up5s7:X1OF9IIFEcelj7AA2dBpdoXumLrfy
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.a.................P...........@.......`....@........................................................................

            File Icon

            Icon Hash:d2c6c4c4ecc4ccf0

            Static PE Info

            General

            Entrypoint:0x574080
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
            DLL Characteristics:
            Time Stamp:0x6106580E [Sun Aug 1 08:15:10 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:c0368754e508c9f92c16810ccc9c68cc

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            push FFFFFFFFh
            push 005766D0h
            push 0057406Eh
            mov eax, dword ptr fs:[00000000h]
            push eax
            mov dword ptr fs:[00000000h], esp
            sub esp, 68h
            push ebx
            push esi
            push edi
            mov dword ptr [ebp-18h], esp
            xor ebx, ebx
            mov dword ptr [ebp-04h], ebx
            push 00000002h
            call dword ptr [005763ACh]
            pop ecx
            or dword ptr [0118F000h], FFFFFFFFh
            or dword ptr [0118F004h], FFFFFFFFh
            call dword ptr [00576388h]
            mov ecx, dword ptr [0118EFF0h]
            mov dword ptr [eax], ecx
            call dword ptr [005763B4h]
            mov ecx, dword ptr [0118EFECh]
            mov dword ptr [eax], ecx
            mov eax, dword ptr [005763B8h]
            mov eax, dword ptr [eax]
            mov dword ptr [0118F008h], eax
            call 00007F4A5C9EEB95h
            cmp dword ptr [00579030h], ebx
            jne 00007F4A5C9EEA8Eh
            push 005741FCh
            call dword ptr [005763BCh]
            pop ecx
            call 00007F4A5C9EEB67h
            push 0057900Ch
            push 00579008h
            call 00007F4A5C9EEB52h
            mov eax, dword ptr [0118EFE8h]
            mov dword ptr [ebp-6Ch], eax
            lea eax, dword ptr [ebp-6Ch]
            push eax
            push dword ptr [0118EFE4h]
            lea eax, dword ptr [ebp-64h]
            push eax
            lea eax, dword ptr [ebp-70h]
            push eax
            lea eax, dword ptr [ebp-60h]
            push eax
            call dword ptr [005763A0h]
            push 00579004h
            push 00579000h
            call 00007F4A5C9EEB1Fh

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x1766ec0xf0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd940000x53d8c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x1766b80x18.rdata
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x1760000x69c.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x17413e0x175000False0.935376042016data7.9131965055IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x1760000x2a360x3000False0.358317057292data5.23691686275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x1790000xc1600c0x1000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .tls0xd900000xc0x1000False0.007080078125data0.0032818649698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .data10xd910000x2880x1000False0.128173828125data1.41331134047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .idata0xd920000x14400x2000False0.49560546875data5.06261072581IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0xd940000x53d8c0x54000False0.244451613653data5.17905187938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_BITMAP0xd950780xe0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd951580xe0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd952380xe0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd953180xc0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd953d80xc0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd954980xe0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd955780xc0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd956380xe0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd957180xc0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_BITMAP0xd957d80xe0GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_ICON0xd958b80x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
            RT_ICON0xda60e00xea8dataEnglishUnited States
            RT_ICON0xda6f880x8a8dataEnglishUnited States
            RT_ICON0xda78300x6c8dataEnglishUnited States
            RT_ICON0xda7ef80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_ICON0xda84600x3b2fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
            RT_ICON0xdabf900x25a8dataEnglishUnited States
            RT_ICON0xdae5380x10a8dataEnglishUnited States
            RT_ICON0xdaf5e00x988dataEnglishUnited States
            RT_ICON0xdaff680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_ICON0xdb03d00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
            RT_ICON0xdc0bf80x25a8dataEnglishUnited States
            RT_ICON0xdc31a00x10a8dataEnglishUnited States
            RT_ICON0xdc42480x988dataEnglishUnited States
            RT_ICON0xdc4bd00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_ICON0xdc50380x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
            RT_ICON0xdd58600x25a8dataEnglishUnited States
            RT_ICON0xdd7e080x10a8dataEnglishUnited States
            RT_ICON0xdd8eb00x988dataEnglishUnited States
            RT_ICON0xdd98380x468GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_STRING0xdd9ca00x848data
            RT_STRING0xdda4e80xa58data
            RT_STRING0xddaf400x800data
            RT_STRING0xddb7400x300data
            RT_STRING0xddba400x240data
            RT_STRING0xddbc800x134data
            RT_STRING0xddbdb40x134data
            RT_STRING0xddbee80xe4data
            RT_STRING0xddbfcc0x360data
            RT_STRING0xddc32c0x524data
            RT_STRING0xddc8500x524data
            RT_STRING0xddcd740xbc0data
            RT_STRING0xddd9340x6bcdata
            RT_STRING0xdddff00x2d4data
            RT_STRING0xdde2c40x440data
            RT_STRING0xdde7040xff4data
            RT_STRING0xddf6f80xa94data
            RT_STRING0xde018c0x9fcdata
            RT_STRING0xde0b880x918data
            RT_STRING0xde14a00x6e8data
            RT_STRING0xde1b880x3f0data
            RT_STRING0xde1f780x430data
            RT_STRING0xde23a80x34cdata
            RT_STRING0xde26f40x478data
            RT_STRING0xde2b6c0x380data
            RT_STRING0xde2eec0x3a4data
            RT_STRING0xde32900x28cdata
            RT_STRING0xde351c0x40cdata
            RT_STRING0xde39280x2c0data
            RT_STRING0xde3be80x3f4data
            RT_STRING0xde3fdc0x9cdata
            RT_STRING0xde40780xf4data
            RT_STRING0xde416c0x148data
            RT_STRING0xde42b40x410data
            RT_STRING0xde46c40x3e4data
            RT_STRING0xde4aa80x4b8data
            RT_STRING0xde4f600x2bcdata
            RT_STRING0xde521c0x3c8data
            RT_STRING0xde55e40x650data
            RT_STRING0xde5c340x490data
            RT_STRING0xde60c40x388data
            RT_STRING0xde644c0x404data
            RT_STRING0xde68500x240data
            RT_STRING0xde6a900xb8data
            RT_STRING0xde6b480xd0data
            RT_STRING0xde6c180x330data
            RT_STRING0xde6f480x4b0data
            RT_STRING0xde73f80x36cdata
            RT_STRING0xde77640x2c4data
            RT_GROUP_ICON0xde7a280x14dataEnglishUnited States
            RT_MANIFEST0xde7a3c0x350XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            MSACM32.dllacmMetrics
            MSVCRT.dll__p__fmode, _except_handler3, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, _controlfp, __set_app_type, memset, __p__commode, _adjust_fdiv, __setusermatherr
            COMCTL32.dllImageList_GetBkColor, InitializeFlatSB, ImageList_Write, ImageList_SetOverlayImage, ImageList_SetImageCount, ImageList_SetIconSize, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Replace, ImageList_Remove, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_DrawEx, ImageList_GetDragImage, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_GetImageInfo, ImageList_LoadImageW, ImageList_Read
            VERSION.dllVerQueryValueW
            KERNEL32.dllLoadLibraryA, LoadLibraryExW, LoadLibraryW, LoadResource, LeaveCriticalSection, LocalFileTimeToFileTime, LocalFree, LockResource, lstrcpynW, lstrlenW, MapViewOfFile, MoveFileW, MulDiv, MultiByteToWideChar, QueryDosDeviceW, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFile, RemoveDirectoryW, ResetEvent, ResumeThread, SetCurrentDirectoryW, SetEndOfFile, SetErrorMode, SetEvent, SetFileAttributesW, SetFilePointer, SetFileTime, SetLastError, SetThreadLocale, SetThreadPriority, SetVolumeLabelW, SizeofResource, Sleep, SleepEx, SuspendThread, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualQuery, VirtualQueryEx, WaitForMultipleObjectsEx, WaitForSingleObject, WideCharToMultiByte, WriteFile, IsValidCodePage, EnterCriticalSection, GetCommandLineA, GetSystemTimeAsFileTime, GetModuleHandleA, GetStartupInfoA, IsValidLocale, InterlockedExchangeAdd, InterlockedCompareExchange, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalMemoryStatus, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetTempFileNameW, GetSystemInfo, GetStringTypeExW, GetStringTypeExA, GetStdHandle, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDriveStringsW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetFileAttributesExW, GetExitCodeThread, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentProcessId, GetCurrentDirectoryW, GetCPInfoExW, GetComputerNameW, GetCommandLineW, GetACP, FreeResource, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, GetLocaleInfoW, ExitProcess, GetOEMCP, LocalAlloc
            USER32.dllKillTimer, LoadBitmapW, LoadCursorW, LoadIconW, LoadKeyboardLayoutW, LoadStringW, MapVirtualKeyW, MapWindowPoints, MsgWaitForMultipleObjectsEx, OemToCharA, OemToCharBuffA, OffsetRect, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageW, PostQuitMessage, PtInRect, RedrawWindow, RegisterClassW, RegisterClipboardFormatW, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropW, ScreenToClient, ScrollWindow, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClassLongW, SetClipboardData, SetCursorPos, SetFocus, SetForegroundWindow, SetMenuItemInfoW, SetParent, SetPropW, SetRect, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, ShowCaret, ShowOwnedPopups, ShowScrollBar, ShowWindow, SystemParametersInfoW, TrackPopupMenu, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnregisterClassW, UpdateWindow, WaitMessage, WindowFromPoint, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRgn, InvalidateRect, InsertMenuW, InsertMenuItemW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetLastActivePopup, GetKeyNameTextW, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetClipboardData, GetClientRect, GetClassNameW, GetClassLongW, GetClassInfoW, GetClassInfoExW, GetCapture, GetActiveWindow, FrameRect, FindWindowW, FindWindowExW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextW, DrawTextExW, DrawMenuBar, DrawIconEx, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreateWindowExW, CreatePopupMenu, CreateMenu, CreateIcon, EmptyClipboard, GetKeyState, GetSysColor, GetCursorPos
            GDI32.dllGetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDIBits, GetDIBColorTable, GetDeviceCaps, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetObjectW, GetPaletteEntries, LineTo, GetBitmapBits, MaskBlt, MoveToEx, PatBlt, Pie, PlayEnhMetaFile, PolyBezierTo, Polygon, Polyline, RealizePalette, Rectangle, RectVisible, ResizePalette, RestoreDC, RoundRect, GetWinMetaFileBits, SaveDC, SelectObject, SelectPalette, SetAbortProc, SetBkColor, SetBkMode, SetBrushOrgEx, SetDIBColorTable, SetDIBits, SetEnhMetaFileBits, SetMapMode, SetPixel, SetROP2, SetStretchBltMode, SetTextColor, SetViewportOrgEx, SetWindowOrgEx, SetWinMetaFileBits, StartDocW, StartPage, StretchBlt, StretchDIBits, UnrealizeObject, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, LPtoDP, EndDoc, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, IntersectClipRect
            ADVAPI32.dllRegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryValueExA, RegQueryInfoKeyW, RegOpenKeyExW, RegUnLoadKeyW
            ole32.dllOleSetMenuDescriptor, OleDraw, OleUninitialize, ProgIDFromCLSID, StringFromCLSID, OleInitialize, OleRegEnumVerbs
            OLEAUT32.dllVariantInit, VariantCopyInd, SafeArrayPutElement, SafeArrayUnaccessData, SetErrorInfo, SysAllocStringLen, SysFreeString, SysReAllocStringLen, VariantChangeType, VariantClear, GetErrorInfo

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 6, 2021 16:20:19.206299067 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.223176956 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.224951029 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.225272894 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.241848946 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.245517969 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.245548010 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.246380091 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.251492977 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.268192053 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.268448114 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.269100904 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.288590908 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.288619041 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.288635015 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.288645029 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.679210901 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.679246902 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.679256916 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.679270029 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.679339886 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.679471970 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.679600954 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.696805000 CEST44349759172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:19.697278023 CEST49759443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:19.997090101 CEST49760443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:20.013847113 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.013930082 CEST49760443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:20.014142990 CEST49760443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:20.031420946 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.038665056 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.038738012 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.038863897 CEST49760443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:20.043942928 CEST49760443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:20.062067986 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.062210083 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.062838078 CEST49760443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:20.081748009 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.122742891 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.122976065 CEST49760443192.168.2.4172.67.150.157
            Aug 6, 2021 16:20:20.141217947 CEST44349760172.67.150.157192.168.2.4
            Aug 6, 2021 16:20:20.141339064 CEST49760443192.168.2.4172.67.150.157

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 6, 2021 16:19:03.695547104 CEST5802853192.168.2.48.8.8.8
            Aug 6, 2021 16:19:03.722978115 CEST53580288.8.8.8192.168.2.4
            Aug 6, 2021 16:19:04.333197117 CEST5309753192.168.2.48.8.8.8
            Aug 6, 2021 16:19:04.360186100 CEST53530978.8.8.8192.168.2.4
            Aug 6, 2021 16:19:04.954097986 CEST4925753192.168.2.48.8.8.8
            Aug 6, 2021 16:19:04.981897116 CEST53492578.8.8.8192.168.2.4
            Aug 6, 2021 16:19:05.660727024 CEST6238953192.168.2.48.8.8.8
            Aug 6, 2021 16:19:05.696326971 CEST53623898.8.8.8192.168.2.4
            Aug 6, 2021 16:19:07.156321049 CEST4991053192.168.2.48.8.8.8
            Aug 6, 2021 16:19:07.184581995 CEST53499108.8.8.8192.168.2.4
            Aug 6, 2021 16:19:09.397450924 CEST5585453192.168.2.48.8.8.8
            Aug 6, 2021 16:19:09.425121069 CEST53558548.8.8.8192.168.2.4
            Aug 6, 2021 16:19:13.094995022 CEST6454953192.168.2.48.8.8.8
            Aug 6, 2021 16:19:13.125509977 CEST53645498.8.8.8192.168.2.4
            Aug 6, 2021 16:19:13.832722902 CEST6315353192.168.2.48.8.8.8
            Aug 6, 2021 16:19:13.860505104 CEST53631538.8.8.8192.168.2.4
            Aug 6, 2021 16:19:14.482110023 CEST5299153192.168.2.48.8.8.8
            Aug 6, 2021 16:19:14.507833958 CEST53529918.8.8.8192.168.2.4
            Aug 6, 2021 16:19:15.445991039 CEST5370053192.168.2.48.8.8.8
            Aug 6, 2021 16:19:15.476444006 CEST53537008.8.8.8192.168.2.4
            Aug 6, 2021 16:19:16.105338097 CEST5172653192.168.2.48.8.8.8
            Aug 6, 2021 16:19:16.131356955 CEST53517268.8.8.8192.168.2.4
            Aug 6, 2021 16:19:16.765119076 CEST5679453192.168.2.48.8.8.8
            Aug 6, 2021 16:19:16.807565928 CEST53567948.8.8.8192.168.2.4
            Aug 6, 2021 16:19:17.761774063 CEST5653453192.168.2.48.8.8.8
            Aug 6, 2021 16:19:17.802117109 CEST53565348.8.8.8192.168.2.4
            Aug 6, 2021 16:19:18.590960979 CEST5662753192.168.2.48.8.8.8
            Aug 6, 2021 16:19:18.618701935 CEST53566278.8.8.8192.168.2.4
            Aug 6, 2021 16:19:19.243536949 CEST5662153192.168.2.48.8.8.8
            Aug 6, 2021 16:19:19.275912046 CEST53566218.8.8.8192.168.2.4
            Aug 6, 2021 16:19:20.228149891 CEST6311653192.168.2.48.8.8.8
            Aug 6, 2021 16:19:20.263915062 CEST53631168.8.8.8192.168.2.4
            Aug 6, 2021 16:19:21.402050972 CEST6407853192.168.2.48.8.8.8
            Aug 6, 2021 16:19:21.429466009 CEST53640788.8.8.8192.168.2.4
            Aug 6, 2021 16:19:22.055762053 CEST6480153192.168.2.48.8.8.8
            Aug 6, 2021 16:19:22.082705975 CEST53648018.8.8.8192.168.2.4
            Aug 6, 2021 16:19:22.821379900 CEST6172153192.168.2.48.8.8.8
            Aug 6, 2021 16:19:22.852180958 CEST53617218.8.8.8192.168.2.4
            Aug 6, 2021 16:19:31.168572903 CEST5125553192.168.2.48.8.8.8
            Aug 6, 2021 16:19:31.193525076 CEST53512558.8.8.8192.168.2.4
            Aug 6, 2021 16:19:31.548198938 CEST6152253192.168.2.48.8.8.8
            Aug 6, 2021 16:19:31.591110945 CEST53615228.8.8.8192.168.2.4
            Aug 6, 2021 16:19:38.405973911 CEST5233753192.168.2.48.8.8.8
            Aug 6, 2021 16:19:38.450258017 CEST53523378.8.8.8192.168.2.4
            Aug 6, 2021 16:19:45.401576042 CEST5504653192.168.2.48.8.8.8
            Aug 6, 2021 16:19:45.427757978 CEST53550468.8.8.8192.168.2.4
            Aug 6, 2021 16:19:58.060961962 CEST4961253192.168.2.48.8.8.8
            Aug 6, 2021 16:19:58.089747906 CEST53496128.8.8.8192.168.2.4
            Aug 6, 2021 16:20:02.585402012 CEST4928553192.168.2.48.8.8.8
            Aug 6, 2021 16:20:02.623436928 CEST53492858.8.8.8192.168.2.4
            Aug 6, 2021 16:20:03.237755060 CEST5060153192.168.2.48.8.8.8
            Aug 6, 2021 16:20:03.297008038 CEST53506018.8.8.8192.168.2.4
            Aug 6, 2021 16:20:03.686655045 CEST6087553192.168.2.48.8.8.8
            Aug 6, 2021 16:20:03.723263979 CEST53608758.8.8.8192.168.2.4
            Aug 6, 2021 16:20:04.584695101 CEST5644853192.168.2.48.8.8.8
            Aug 6, 2021 16:20:04.616950035 CEST53564488.8.8.8192.168.2.4
            Aug 6, 2021 16:20:06.813396931 CEST5917253192.168.2.48.8.8.8
            Aug 6, 2021 16:20:06.856353998 CEST53591728.8.8.8192.168.2.4
            Aug 6, 2021 16:20:07.566859961 CEST6242053192.168.2.48.8.8.8
            Aug 6, 2021 16:20:07.599163055 CEST53624208.8.8.8192.168.2.4
            Aug 6, 2021 16:20:08.251656055 CEST6057953192.168.2.48.8.8.8
            Aug 6, 2021 16:20:08.285300970 CEST53605798.8.8.8192.168.2.4
            Aug 6, 2021 16:20:08.935213089 CEST5018353192.168.2.48.8.8.8
            Aug 6, 2021 16:20:08.970935106 CEST53501838.8.8.8192.168.2.4
            Aug 6, 2021 16:20:13.301368952 CEST6153153192.168.2.48.8.8.8
            Aug 6, 2021 16:20:13.343677998 CEST53615318.8.8.8192.168.2.4
            Aug 6, 2021 16:20:14.538686991 CEST4922853192.168.2.48.8.8.8
            Aug 6, 2021 16:20:14.583889961 CEST53492288.8.8.8192.168.2.4
            Aug 6, 2021 16:20:15.914967060 CEST5979453192.168.2.48.8.8.8
            Aug 6, 2021 16:20:15.950262070 CEST53597948.8.8.8192.168.2.4
            Aug 6, 2021 16:20:16.779068947 CEST5591653192.168.2.48.8.8.8
            Aug 6, 2021 16:20:16.835551977 CEST53559168.8.8.8192.168.2.4
            Aug 6, 2021 16:20:19.165663958 CEST5275253192.168.2.48.8.8.8
            Aug 6, 2021 16:20:19.202171087 CEST53527528.8.8.8192.168.2.4
            Aug 6, 2021 16:20:19.959073067 CEST6054253192.168.2.48.8.8.8
            Aug 6, 2021 16:20:19.994328022 CEST53605428.8.8.8192.168.2.4
            Aug 6, 2021 16:20:20.514338017 CEST6068953192.168.2.48.8.8.8
            Aug 6, 2021 16:20:20.551691055 CEST53606898.8.8.8192.168.2.4
            Aug 6, 2021 16:20:40.395773888 CEST6420653192.168.2.48.8.8.8
            Aug 6, 2021 16:20:40.422566891 CEST53642068.8.8.8192.168.2.4
            Aug 6, 2021 16:20:49.937186003 CEST5090453192.168.2.48.8.8.8
            Aug 6, 2021 16:20:49.980037928 CEST53509048.8.8.8192.168.2.4
            Aug 6, 2021 16:20:52.041543961 CEST5752553192.168.2.48.8.8.8
            Aug 6, 2021 16:20:52.084916115 CEST53575258.8.8.8192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Aug 6, 2021 16:19:31.548198938 CEST192.168.2.48.8.8.80x4bbcStandard query (0)nikolakigreate.liveA (IP address)IN (0x0001)
            Aug 6, 2021 16:20:19.165663958 CEST192.168.2.48.8.8.80x9663Standard query (0)nikolakigreate.liveA (IP address)IN (0x0001)
            Aug 6, 2021 16:20:19.959073067 CEST192.168.2.48.8.8.80xe5d0Standard query (0)nikolakigreate.liveA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Aug 6, 2021 16:19:31.591110945 CEST8.8.8.8192.168.2.40x4bbcNo error (0)nikolakigreate.live172.67.150.157A (IP address)IN (0x0001)
            Aug 6, 2021 16:19:31.591110945 CEST8.8.8.8192.168.2.40x4bbcNo error (0)nikolakigreate.live104.21.30.56A (IP address)IN (0x0001)
            Aug 6, 2021 16:20:19.202171087 CEST8.8.8.8192.168.2.40x9663No error (0)nikolakigreate.live172.67.150.157A (IP address)IN (0x0001)
            Aug 6, 2021 16:20:19.202171087 CEST8.8.8.8192.168.2.40x9663No error (0)nikolakigreate.live104.21.30.56A (IP address)IN (0x0001)
            Aug 6, 2021 16:20:19.994328022 CEST8.8.8.8192.168.2.40xe5d0No error (0)nikolakigreate.live172.67.150.157A (IP address)IN (0x0001)
            Aug 6, 2021 16:20:19.994328022 CEST8.8.8.8192.168.2.40xe5d0No error (0)nikolakigreate.live104.21.30.56A (IP address)IN (0x0001)

            HTTPS Packets

            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
            Aug 6, 2021 16:20:19.245548010 CEST172.67.150.157443192.168.2.449759CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Oct 02 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sat Oct 02 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-136-135-134-133-49202-49198-49194-49190-49167-49157-157-61-53-132-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-69-68-67-66-49201-49197-49193-49189-49166-49156-156-60-47-150-65-7-49169-49159-49164-49154-5-4-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-35-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2fd80fa9c6120cdeea8520510f3c644ac
            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
            Aug 6, 2021 16:20:20.038738012 CEST172.67.150.157443192.168.2.449760CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Oct 02 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sat Oct 02 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-136-135-134-133-49202-49198-49194-49190-49167-49157-157-61-53-132-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-69-68-67-66-49201-49197-49193-49189-49166-49156-156-60-47-150-65-7-49169-49159-49164-49154-5-4-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-35-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2fd80fa9c6120cdeea8520510f3c644ac
            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: 6v8QbANftP.exe PID: 6644 Parent PID: 5784

            General

            Start time:16:19:12
            Start date:06/08/2021
            Path:C:\Users\user\Desktop\6v8QbANftP.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\6v8QbANftP.exe'
            Imagebase:0x400000
            File size:1908736 bytes
            MD5 hash:D2D3438E61D5DCD688652F3F9A67ACDF
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            Chronological Activities

            Analysis Process: WerFault.exe PID: 6884 Parent PID: 6644

            General

            Start time:16:19:19
            Start date:06/08/2021
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 864
            Imagebase:0xfc0000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: WerFault.exe PID: 240 Parent PID: 6644

            General

            Start time:16:19:38
            Start date:06/08/2021
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 900
            Imagebase:0xfc0000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: WerFault.exe PID: 6352 Parent PID: 6644

            General

            Start time:16:19:55
            Start date:06/08/2021
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 952
            Imagebase:0xfc0000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: WerFault.exe PID: 4968 Parent PID: 6644

            General

            Start time:16:20:27
            Start date:06/08/2021
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 952
            Imagebase:0xfc0000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >