Play interactive tour

Edit tour

Windows Analysis Report 6v8QbANftP.exe

Overview

General Information

Sample Name:	6v8QbANftP.exe
Analysis ID:	460783
MD5:	d2d3438e61d5dcd688652f3f9a67acdf
SHA1:	e5ef89d044944987a23578ed102eb584f58371ae
SHA256:	67cd12a71d272aac15500b452bfc4c3228e0b7120ba75a19543257b7223b2ce0
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious ftp.exe

Uses 32bit PE files

Classification

Process Tree

System is w10x64

6v8QbANftP.exe (PID: 576 cmdline: 'C:\Users\user\Desktop\6v8QbANftP.exe' MD5: D2D3438E61D5DCD688652F3F9A67ACDF)

WerFault.exe (PID: 2220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 844 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 904 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 1528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1028 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 1656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1028 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Suspicious ftp.exe

Show sources

Source: Process started

Author: Victor Sergeev, oscd.community: Data: Command: C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 844, CommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 844, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WerFault.exe, NewProcessName: C:\Windows\SysWOW64\WerFault.exe, OriginalFileName: C:\Windows\SysWOW64\WerFault.exe, ParentCommandLine: 'C:\Users\user\Desktop\6v8QbANftP.exe' , ParentImage: C:\Users\user\Desktop\6v8QbANftP.exe, ParentProcessId: 576, ProcessCommandLine: C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 844, ProcessId: 2220

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 6v8QbANftP.exe	Virustotal: Detection: 57%			Perma Link
Source: 6v8QbANftP.exe	ReversingLabs: Detection: 71%

Machine Learning detection for sample

Show sources

Source: 6v8QbANftP.exe

Joe Sandbox ML: detected

Source: 7.2.WerFault.exe.5120000.14.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 19.2.WerFault.exe.5460000.15.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 4.2.WerFault.exe.55c0000.12.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 26.2.WerFault.exe.57a0000.14.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Source: 6v8QbANftP.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 172.67.150.157:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.157:443 -> 192.168.2.7:49728 version: TLS 1.2

Source:	Binary string: msacm32.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbe source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbY source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb3)P source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbu- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: msg711.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: l3codeca.pdb[)x source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.321272091.0000000000ECE000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: msadp32.pdbo source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbw source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: imaadp32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb[g source: WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb5 source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbQ- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: msg711.pdbU source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: AppxSip.pdbA)B source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbc)` source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: tdh.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: msadp32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbE- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbY source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: msadp32.pdb+- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbC- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: mintdh.pdbW)t source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329802760.0000000005351000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381349482.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdbZkJ source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdbq source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: l3codeca.pdbg- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: tdh.pdbXf source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: imaadp32.pdbO)L source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb9 source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: XmlLite.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb7- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbi$' source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb\) source: WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb{ source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb<kl source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb? source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: tdh.pdbc. source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdbC source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: mintdh.pdb- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb_ source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: AppxSip.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb`/ source: WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbg$= source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: imaadp32.pdb-- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: msg711.pdb[- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb0kp source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb!- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbe source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: imaadp32.pdbi source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb]- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbM source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdbXo source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbU source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbe)f source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: OpcServices.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: l3codeca.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: msgsm32.pdbs- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: l3codeca.pdbd' source: WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbo' source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000013.00000003.320234448.0000000004A6B000.00000004.00000001.sdmp
Source:	Binary string: XmlLite.pdb_ source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: mintdh.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbi)j source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb*kz source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbO- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdbc' source: WerFault.exe, 0000001A.00000003.381349482.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.253706570.0000000000F83000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.321272091.0000000000ECE000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.367964439.000000000113F000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbi- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: AppxSip.pdbC source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: msgsm32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb{ source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbe source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbq source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb])~ source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb9- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb]$3 source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbfkF source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381802711.0000000005686000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb$\ source: WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbC$ source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdbM source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb5)V source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: msgsm32.pdbq) source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbw source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381802711.0000000005686000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: OpcServices.pdbXo source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp

Source: Joe Sandbox View

JA3 fingerprint: fd80fa9c6120cdeea8520510f3c644ac

Source: unknown

DNS traffic detected: queries for: nikolakigreate.live

Source: 6v8QbANftP.exe, 00000000.00000000.354404161.000000000154C000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digi
Source: 6v8QbANftP.exe, 00000000.00000003.343539547.0000000001567000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
Source: 6v8QbANftP.exe, 00000000.00000003.343508189.000000000157D000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: WerFault.exe, 0000001A.00000003.428174460.0000000004D5C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: 6v8QbANftP.exe, 00000000.00000000.354404161.000000000154C000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Cloudf
Source: 6v8QbANftP.exe, 00000000.00000000.354035368.00000000014F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl
Source: 6v8QbANftP.exe, 00000000.00000000.354035368.00000000014F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: 6v8QbANftP.exe, 00000000.00000000.354035368.00000000014F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
Source: 6v8QbANftP.exe, 00000000.00000003.344099153.0000000001552000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: 6v8QbANftP.exe, 00000000.00000000.354035368.00000000014F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crlZE
Source: 6v8QbANftP.exe, 00000000.00000000.354404161.000000000154C000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.di
Source: 6v8QbANftP.exe, 00000000.00000000.354035368.00000000014F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl
Source: 6v8QbANftP.exe, 00000000.00000003.343508189.000000000157D000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: 6v8QbANftP.exe, 00000000.00000000.354035368.00000000014F7000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crlW
Source: 6v8QbANftP.exe, 00000000.00000000.354404161.000000000154C000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digic
Source: 6v8QbANftP.exe, 00000000.00000000.354035368.00000000014F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: 6v8QbANftP.exe, 00000000.00000003.343539547.0000000001567000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 6v8QbANftP.exe, 00000000.00000003.344099153.0000000001552000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: 6v8QbANftP.exe, 00000000.00000000.354035368.00000000014F7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com6pE
Source: 6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxversion6.1.6needs_syncnever_activated_since_loadedpat
Source: 6v8QbANftP.exe, 00000000.00000003.343552097.0000000001572000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://test.com/
Source: 6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: https://test.com/session.restore_on_startupsession.startup_urlssuper_mac
Source: 6v8QbANftP.exe, 00000000.00000003.344099153.0000000001552000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: unknown	HTTPS traffic detected: 172.67.150.157:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.157:443 -> 192.168.2.7:49728 version: TLS 1.2

Source: C:\Users\user\Desktop\6v8QbANftP.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 844

Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6v8QbANftP.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 6v8QbANftP.exe, 00000000.00000000.303220921.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsfltr32.acm.muij% vs 6v8QbANftP.exe
Source: 6v8QbANftP.exe, 00000000.00000000.353834898.00000000013B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsg711.acm.muij% vs 6v8QbANftP.exe
Source: 6v8QbANftP.exe, 00000000.00000000.244968491.00000000013A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsadp32.acm.muij% vs 6v8QbANftP.exe
Source: 6v8QbANftP.exe, 00000000.00000000.244984415.00000000013C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemsgsm32.acm.muij% vs 6v8QbANftP.exe

Source: 6v8QbANftP.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 6v8QbANftP.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal52.winEXE@5/16@3/1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess576

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC21.tmp

Jump to behavior

Source: C:\Users\user\Desktop\6v8QbANftP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\6v8QbANftP.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 6v8QbANftP.exe	Virustotal: Detection: 57%
Source: 6v8QbANftP.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\6v8QbANftP.exe 'C:\Users\user\Desktop\6v8QbANftP.exe'
Source: C:\Users\user\Desktop\6v8QbANftP.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 844
Source: C:\Users\user\Desktop\6v8QbANftP.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 904
Source: C:\Users\user\Desktop\6v8QbANftP.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1028
Source: C:\Users\user\Desktop\6v8QbANftP.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1028

Source: 6v8QbANftP.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 6v8QbANftP.exe

Static file information: File size 1908736 > 1048576

Source: 6v8QbANftP.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x175000

Source:	Binary string: msacm32.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbe source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbY source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb3)P source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbu- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: msg711.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: l3codeca.pdb[)x source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.321272091.0000000000ECE000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: msadp32.pdbo source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbw source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: imaadp32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb[g source: WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb5 source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbQ- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: msg711.pdbU source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: AppxSip.pdbA)B source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbc)` source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: tdh.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: msadp32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbE- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbY source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: msadp32.pdb+- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbC- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: mintdh.pdbW)t source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329802760.0000000005351000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381349482.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdbZkJ source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdbq source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: l3codeca.pdbg- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: tdh.pdbXf source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: imaadp32.pdbO)L source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb9 source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: XmlLite.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb7- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbi$' source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb\) source: WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb{ source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb<kl source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb? source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: tdh.pdbc. source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdbC source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: mintdh.pdb- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb_ source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: AppxSip.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb`/ source: WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbg$= source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: imaadp32.pdb-- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: msg711.pdb[- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb0kp source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb!- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbe source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: imaadp32.pdbi source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb]- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbM source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdbXo source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbU source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbe)f source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: OpcServices.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: l3codeca.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: msgsm32.pdbs- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: l3codeca.pdbd' source: WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbo' source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000013.00000003.320234448.0000000004A6B000.00000004.00000001.sdmp
Source:	Binary string: XmlLite.pdb_ source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: mintdh.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbi)j source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb*kz source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbO- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdbc' source: WerFault.exe, 0000001A.00000003.381349482.0000000005691000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.253706570.0000000000F83000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.321272091.0000000000ECE000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.367964439.000000000113F000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbi- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381450139.0000000005683000.00000004.00000040.sdmp
Source:	Binary string: AppxSip.pdbC source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: msgsm32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb{ source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdbe source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbq source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb])~ source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb9- source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb]$3 source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdbfkF source: WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381802711.0000000005686000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb$\ source: WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.258348072.00000000054A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291044044.0000000004C50000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.330313122.0000000005340000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381774378.0000000005680000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbC$ source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdbM source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb5)V source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329831583.000000000534C000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381401900.000000000568C000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: msgsm32.pdbq) source: WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.258261668.00000000054D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.290917065.0000000005031000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.330078359.0000000005371000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.381631257.00000000056B1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdbw source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 00000004.00000003.258284764.00000000054A1000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.290973071.0000000004C51000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329854486.0000000005343000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381802711.0000000005686000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.258294091.00000000054A7000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.329927661.0000000005349000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.381824713.0000000005689000.00000004.00000040.sdmp
Source:	Binary string: OpcServices.pdbXo source: WerFault.exe, 00000007.00000003.291067582.0000000004C57000.00000004.00000040.sdmp

Source: 6v8QbANftP.exe

Static PE information: section name: .data1

Source: initial sample

Static PE information: section name: .text entropy: 7.9131965055

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 00000004.00000002.267432516.0000000005240000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.298334737.0000000005300000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.341496564.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.435397577.0000000005590000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000001A.00000003.403864281.0000000004D6A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWp
Source: WerFault.exe, 0000001A.00000003.402643121.0000000004D6A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllows" gp="windows8" app="6v8QbANftP.exe">
Source: WerFault.exe, 0000001A.00000003.428499660.0000000001108000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000004.00000002.267432516.0000000005240000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.298334737.0000000005300000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.341496564.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.435397577.0000000005590000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.267432516.0000000005240000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.298334737.0000000005300000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.341496564.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.435397577.0000000005590000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 6v8QbANftP.exe, 00000000.00000000.245043745.00000000014F7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 00000004.00000002.267432516.0000000005240000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.298334737.0000000005300000.00000002.00000001.sdmp, WerFault.exe, 00000013.00000002.341496564.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 0000001A.00000002.435397577.0000000005590000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\6v8QbANftP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\6v8QbANftP.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\6v8QbANftP.exe	Process queried: DebugPort			Jump to behavior

Source: 6v8QbANftP.exe, 00000000.00000000.354956969.0000000001B70000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: 6v8QbANftP.exe, 00000000.00000000.354956969.0000000001B70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 6v8QbANftP.exe, 00000000.00000000.354956969.0000000001B70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 6v8QbANftP.exe, 00000000.00000000.354956969.0000000001B70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\6v8QbANftP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection2	Virtualization/Sandbox Evasion1	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing3	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
6v8QbANftP.exe	57%	Virustotal		Browse
6v8QbANftP.exe	71%	ReversingLabs	Win32.Trojan.Bingoml
6v8QbANftP.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.WerFault.exe.5120000.14.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
19.2.WerFault.exe.5460000.15.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
4.2.WerFault.exe.55c0000.12.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
0.0.6v8QbANftP.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
26.2.WerFault.exe.57a0000.14.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File

Domains

Source	Detection	Scanner	Label	Link
nikolakigreate.live	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://cacerts.digi	0%	Avira URL Cloud	safe
http://crl4.di	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	URL Reputation	safe
http://ocsp.digic	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nikolakigreate.live	104.21.30.56	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cacerts.digi	6v8QbANftP.exe, 00000000.00000000.354404161.000000000154C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crxversion6.1.6needs_syncnever_activated_since_loadedpat	6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	false		high
http://crl4.di	6v8QbANftP.exe, 00000000.00000000.354404161.000000000154C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	WerFault.exe, 0000001A.00000003.428174460.0000000004D5C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://test.com/	6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	false		high
http://ocsp.digic	6v8QbANftP.exe, 00000000.00000000.354404161.000000000154C000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://test.com/session.restore_on_startupsession.startup_urlssuper_mac	6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	false		high
http://www.openssl.org/support/faq.html	6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	false		high
https://clients2.google.com/service/update2/crx	6v8QbANftP.exe, 00000000.00000000.243212376.0000000000400000.00000040.00020000.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.150.157	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	460783
Start date:	06.08.2021
Start time:	16:26:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	6v8QbANftP.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.winEXE@5/16@3/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.189.173.21, 52.147.198.201, 23.211.4.86, 20.189.173.22, 20.82.210.154, 93.184.221.240, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.209.183 Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, onedsblobprdwus16.westus.cloudapp.azure.com, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.150.157	6v8QbANftP.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	6v8QbANftP.exe	Get hash	malicious	Browse	172.67.150.157
	DOC040821.exe	Get hash	malicious	Browse	172.67.188.138
	FC73GQTY0090TWI.exe	Get hash	malicious	Browse	172.67.160.130
	Referans iin orijinal nakliye belgeleri.xls.exe	Get hash	malicious	Browse	104.21.19.200
	Payment Advice.exe	Get hash	malicious	Browse	104.21.19.200
	QRT02135.exe	Get hash	malicious	Browse	172.67.160.130
	FC73GQTY0090TWMNA.exe	Get hash	malicious	Browse	104.18.6.156
	Invoicel-datasheet.exe	Get hash	malicious	Browse	104.18.7.156
	Devis.exe	Get hash	malicious	Browse	104.21.19.200
	FX-Transfer-Form.xlsx	Get hash	malicious	Browse	23.227.38.74
	Po 08062021.exe	Get hash	malicious	Browse	104.21.19.200
	ASM9WQK4L9.exe	Get hash	malicious	Browse	104.21.19.200
	yyyy.exe	Get hash	malicious	Browse	104.23.98.190
	CTP0cLlCLh.exe	Get hash	malicious	Browse	104.21.87.184
	EGBl6IQ92a.exe	Get hash	malicious	Browse	104.21.14.85
	BOQ-DOU-2021-09-02.exe	Get hash	malicious	Browse	172.67.188.154
	LIST.KRT.exe	Get hash	malicious	Browse	104.16.14.194
	Transfer receipt Copy 1038690332210516.exe	Get hash	malicious	Browse	172.67.188.154
	Facilities_Payment_Remittance_Advice.htm	Get hash	malicious	Browse	104.21.50.81
	SecuriteInfo.com.ArtemisF25F629DE8FD.21928.exe	Get hash	malicious	Browse	104.21.19.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
fd80fa9c6120cdeea8520510f3c644ac	6v8QbANftP.exe	Get hash	malicious	Browse	172.67.150.157
	spjYwLgrAT.exe	Get hash	malicious	Browse	172.67.150.157
	spjYwLgrAT.exe	Get hash	malicious	Browse	172.67.150.157
	egGgMixHNS.exe	Get hash	malicious	Browse	172.67.150.157
	egGgMixHNS.exe	Get hash	malicious	Browse	172.67.150.157
	5KYnVcv9cf.exe	Get hash	malicious	Browse	172.67.150.157
	5KYnVcv9cf.exe	Get hash	malicious	Browse	172.67.150.157
	pjjaluln.exe	Get hash	malicious	Browse	172.67.150.157
	KMSPico 11.1.2.exe	Get hash	malicious	Browse	172.67.150.157

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_6v8QbANftP.exe_688edab69f7ff65bdccb9775bfc9ed6983279f0_57fa7400_07082906\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	14250
Entropy (8bit):	3.772209322877049
Encrypted:	false
SSDEEP:	192:LyBL3xs4Hzv+ijqc5HBWMj/u7sTS274It1utx:G9Xzv+ijFj/u7sTX4ItUb
MD5:	B6382D25565E2C900B85218F55334B52
SHA1:	7926177057A50EFB8751C506EBC82113755CDF10
SHA-256:	AD0FC98EBAA5E0D5B4D6D0E4C12B8BFA2D2F1AB81FFC2520EBCAF5054189FBCA
SHA-512:	D64A0639A330E541EF4691F590D410BC1CF7D4900FA3E1E9AB5CB74A0351C91D45F703E36D7D584E7E44A33C1558684A9F82F6A677BA2252F416AD11E851C8DC
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.7.6.6.0.9.3.8.0.6.4.7.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.2.7.6.6.1.0.6.9.4.7.0.9.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.d.6.8.0.9.f.-.9.9.c.7.-.4.9.1.6.-.8.d.6.c.-.2.a.2.2.a.e.b.a.9.c.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.6.0.5.a.d.8.-.2.0.f.4.-.4.f.1.d.-.9.6.d.2.-.3.b.2.2.1.9.2.b.0.1.5.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.v.8.Q.b.A.N.f.t.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.4.0.-.0.0.0.1.-.0.0.1.7.-.2.b.c.3.-.9.4.9.3.1.a.8.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.e.1.2.3.d.9.6.6.8.9.e.1.f.9.e.d.d.b.4.3.3.8.7.d.6.4.9.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.e.f.8.9.d.0.4.4.9.4.4.9.8.7.a.2.3.5.7.8.e.d.1.0.2.e.b.5.8.4.f.5.8.3.7.1.a.e.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6v8QbANftP.exe_3e8d3c5530a4b16fbd0afa5ead9a91546222d_57fa7400_04977f97\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	13746
Entropy (8bit):	3.7709716969071225
Encrypted:	false
SSDEEP:	192:gnL31PH56rQjqc5HBWM2/u7s4S274Iteu1:gbV56rQjF2/u7s4X4ItR1
MD5:	49E830EC636505C2B7DC03148E804904
SHA1:	9C064AFDFDF6343DED060F2F84FD99B457137B86
SHA-256:	C789D9FAA7187C28D839A74AF43A0658F6D4E7B4E914399AE5812C2A4EC58676
SHA-512:	80B74795AF72F3EDEA66B3509A017383434580C7D2C0F6390A6515820C4AA7D254150A9DF241CCE8A9E54911AF057EB9DF7AC84CE522D0A1E3511F292CCB834B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.7.6.6.0.7.0.3.9.4.5.0.6.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.3.b.8.4.8.9.-.1.8.1.d.-.4.6.2.e.-.a.7.2.8.-.c.f.3.3.c.1.4.e.b.0.3.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.2.8.8.5.3.d.-.0.1.f.2.-.4.f.a.d.-.8.b.c.b.-.8.6.3.8.2.c.5.0.5.3.7.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.v.8.Q.b.A.N.f.t.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.4.0.-.0.0.0.1.-.0.0.1.7.-.2.b.c.3.-.9.4.9.3.1.a.8.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.e.1.2.3.d.9.6.6.8.9.e.1.f.9.e.d.d.b.4.3.3.8.7.d.6.4.9.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.e.f.8.9.d.0.4.4.9.4.4.9.8.7.a.2.3.5.7.8.e.d.1.0.2.e.b.5.8.4.f.5.8.3.7.1.a.e.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.7././.2.5.:.0.5.:.3.9.:.0.8.!.0.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6v8QbANftP.exe_3e8d3c5530a4b16fbd0afa5ead9a91546222d_57fa7400_09c2fb24\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	13346
Entropy (8bit):	3.7727747925223243
Encrypted:	false
SSDEEP:	192:CxL31PH56rQjqc5HBWMJ/u7s4S274IteuR:eV56rQjFJ/u7s4X4ItRR
MD5:	D041D9F367EE435F34FDE442EA0A472D
SHA1:	38958A807DFCFF3A2DBDC92F1862BD1A8928B286
SHA-256:	DA2DDBDBCEC94A69283C933EE4ED12DF2F5242141493A7CA3C63DCC7421AFCEF
SHA-512:	05D382EA960FC54776E8679A9E80EB2476E521C4C48F8BD45CFF7922BD329AE9B78D7CC60B3E4CB69EB9DEC48D8FD62A6BED0D5F8FAD8C3E92148C81F9B1376B
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.7.6.6.0.3.8.6.4.9.1.6.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.8.7.c.c.8.3.-.5.7.3.3.-.4.a.d.7.-.a.1.f.d.-.2.c.4.1.d.1.2.d.3.f.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.0.c.8.a.8.d.-.9.1.8.2.-.4.3.f.5.-.a.7.e.4.-.1.3.4.1.b.3.1.0.5.5.f.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.v.8.Q.b.A.N.f.t.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.4.0.-.0.0.0.1.-.0.0.1.7.-.2.b.c.3.-.9.4.9.3.1.a.8.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.e.1.2.3.d.9.6.6.8.9.e.1.f.9.e.d.d.b.4.3.3.8.7.d.6.4.9.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.e.f.8.9.d.0.4.4.9.4.4.9.8.7.a.2.3.5.7.8.e.d.1.0.2.e.b.5.8.4.f.5.8.3.7.1.a.e.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.7././.2.5.:.0.5.:.3.9.:.0.8.!.0.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6v8QbANftP.exe_3e8d3c5530a4b16fbd0afa5ead9a91546222d_57fa7400_13e73678\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	13348
Entropy (8bit):	3.7738819503467185
Encrypted:	false
SSDEEP:	192:YL39PH56rQjqc5HBWMJ/u7s4S274IteuZ:eN56rQjFJ/u7s4X4ItRZ
MD5:	37D5278F259BFB1AFF7FC1A4B76A9E21
SHA1:	6ED7C52D019B29D4FA1381F6B6979041BA55755D
SHA-256:	2EC42A8D7A4BBE9C6D6BB3418EA7B27A930212FA9C98C14086790291535F5A45
SHA-512:	0A2689DB545CFB206255A7E60C45C8F546C007EA794A840F93D05DDBDCE6867C22AACD617404DA5AEB9E468620DB7E66B0491805BD1B5D58FE54D94B89251DC3
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.2.7.6.6.0.5.3.1.6.8.4.4.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.0.6.3.5.7.1.-.e.4.5.9.-.4.0.9.3.-.a.3.c.3.-.4.b.6.a.3.0.7.c.a.5.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.f.f.8.e.7.8.-.0.8.8.0.-.4.9.0.5.-.b.d.5.0.-.5.0.f.2.0.7.4.8.a.8.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.v.8.Q.b.A.N.f.t.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.4.0.-.0.0.0.1.-.0.0.1.7.-.2.b.c.3.-.9.4.9.3.1.a.8.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.1.6.e.1.2.3.d.9.6.6.8.9.e.1.f.9.e.d.d.b.4.3.3.8.7.d.6.4.9.6.e.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.e.f.8.9.d.0.4.4.9.4.4.9.8.7.a.2.3.5.7.8.e.d.1.0.2.e.b.5.8.4.f.5.8.3.7.1.a.e.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.7././.2.5.:.0.5.:.3.9.:.0.8.!.0.!.6.v.8.Q.b.A.N.f.t.P...e.x.e.....B.o.o.t.I.d.=.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER24D4.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 6 23:27:35 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	71368
Entropy (8bit):	2.14778754310421
Encrypted:	false
SSDEEP:	384:fYxw1aNRKoQjSHcbiEVGz2lvVPRed20jEK:fYxgaNRKWcvVGz2ld4d5r
MD5:	259AEB8C13BC913F8D3A5EB3BCCB0BA5
SHA1:	90760C92A89D7E4510BEE45ECCD3E66A8CE9452F
SHA-256:	C7F6DD5574D386B7F48BAD5E7EA9C9E795C03B0B57757C7711F7D8B6682258FC
SHA-512:	BDA6D70B00336FA77BE9946CC7EE8A69C962E1A431ACB4651E5199376A9B7D4DD71FFD2B8570F113D012A04C35B1D823FD27E1FD4E66719D5B8E461300DF0385
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......g..a...................U...........B......H%......GenuineIntelW...........T.......@...M..a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F64.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.7072834988642303
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNir66Ht6Yg4SUUsjEgmfaSmCpBV89bVOXsfWP0m:RrlsNiG6N6YPSUUsjEgmfaS+VOcfWB
MD5:	6051820D507D47D818C64C82CF58C467
SHA1:	81B9758B865F80D27F8AFEF1AD2D1CA76EDCC7FE
SHA-256:	E66F68CE7F93908B18AC82D8DD6F15A27201101D4F4CDE0667600462CE36BE12
SHA-512:	E91D8E4E7D51A69032834608492BA3D9EB35007E0FF663E5CBC897B09FF4F55341E497D8790320F41B1C6E68592FD6C551B59CCE581B31629EA14EFBCBC7D8BC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3253.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.507450227221875
Encrypted:	false
SSDEEP:	48:cvIwSD8zsHJgtWI9+oWSC8Bas8fm8M4JuSyZFQI+q8d8UlbO34xld:uITfpFBSNERJgBQly4xld
MD5:	F3022C2A9DBD4C1F64AB22D66234A7A5
SHA1:	E15FD2F70164A6988E261A7B9D72C55D22BE0278
SHA-256:	80A067805A7F9089D81DF9D49B84D87B6DEE024CB3CB68C6B939B2EA9D9C94DC
SHA-512:	5FC5C4DD0492A08325C5BA37684ABA9234EF97266E5944412D0A60D07FB76C78AF0567B43BEE7878269556370AA8CB142EEBEFF983C0E14E78B92EAB87B6952E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1110758" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6827.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Aug 6 23:27:53 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	79620
Entropy (8bit):	2.0618531387108687
Encrypted:	false
SSDEEP:	384:sY7fdnlN0y6GYnPGVih6cVGSFJFwVF62cpJ4VooNx:sY7fdnlN0yiGo5VG4JFwbcpMTP
MD5:	058FE550FFCBDF86DC58E5B1012D3161
SHA1:	8B2C3427DE30C5833675E41362C689D99FD880D0
SHA-256:	00A1D094E243A24F9EB79FB5E4F237C7B422D05A3D1CD2FC0BDF71592EB38DF9
SHA-512:	1E620BEB0FEBFC497C44A6566FCEEC1DA1697F7690D8F3E29D6CD13FC05E945CD424933E24B6DAE3041105DEF7F04F2DDE7888A47FB50D2504BD22B42C56BAB9
Malicious:	false
Preview:	MDMP....... .......y..a...................U...........B.......'......GenuineIntelW...........T.......@...M..a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER773B.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8358
Entropy (8bit):	3.7084012447248647
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNir16iD6Yg/SUlDwgmfaSmCpBl89bV6Xsf0hRPYm:RrlsNiJ626YYSUlDwgmfaS+V6cfQp9
MD5:	AC37517E0CF66604647123BB79241DA9
SHA1:	39D3ADC05C4512FF38C52EFF808D51C2813C4263
SHA-256:	F03CEDE417D29D353D5D374D4D00B0CAF132F9B9291812AAF521BFD6996D7AA4
SHA-512:	A402A2C62BE06775AAE300D1DE94F2C8B0F99FC301D9DBD20220EF8D4337CC37F8CF0A2D389038DBBB2FEFAF02A586BF6178B587C620EA95BFF13C7AC68C6AEB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BB1.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.5099040707814275
Encrypted:	false
SSDEEP:	48:cvIwSD8zsHJgtWI9+oWSC8B68fm8M4JuSyZFtj+q8d8UlbO34xld:uITfpFBSNZJgxQly4xld
MD5:	314172A095B933FA5AAAFA696E7950A7
SHA1:	ABCDDBF513B100753D2BB0B2B84D0E7893D3EC6A
SHA-256:	4ADD1B02DD21FE11C0724AD4B52936EA31B857C4D180995EC93F2CECBE387D0B
SHA-512:	8DC51D6408B8C5CA1D86CE7A2C94CD4BA9074AC2FFE6BB6B0648C08CD039606568AF411AAE010DA20F59031F70F9890AE217772812D2F8819071DA5497684CBB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1110758" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC395.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Aug 6 23:28:17 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	72818
Entropy (8bit):	2.069301713950705
Encrypted:	false
SSDEEP:	384:vYeYv0S0bEjyDzziaVGe3FhFwVF62cpfv/YLFOL/:vYeYv0S0rzhVGeVhFwbcpn/qu/
MD5:	C6F5742B42A7AB7F5ED30DA9A7199F85
SHA1:	4575CDF7E83BDBBEC97846C0AF024E75BCBDB580
SHA-256:	2620B88312DC53B2B9DD5D48F84218083B54B3C729528D4626A04D9FABE3D887
SHA-512:	F9DA08A698C1081D40D92F469B3593016599ABD9991BAE524CA5E183FA875E86B234D06C479345B61985893F255639E443573EB2132A7550FDAC746EDA352234
Malicious:	false
Preview:	MDMP....... ..........a...................U...........B.......'......GenuineIntelW...........T.......@...M..a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4BC.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8378
Entropy (8bit):	3.6966308483098325
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNirx6GB6YglSUuDUgmfCSyCpDC89bHXsfWGtm:RrlsNi96o6YySUuDUgmfCSZHcfWt
MD5:	33CFBFA2116F705AF9CE25E5A975F33B
SHA1:	6E87823227D29A91BFB9AC55B3D6A551EDA2C108
SHA-256:	B47B4855116B6D1EFCEBEA476C65EF2543613C1A7892880FC4F1E45CF88F5DBB
SHA-512:	112428F5AE55E6A553D6B0B6BD879053DF11C14254E91369B78940C2B2A5DBE0B09DABE099AF5C626E48995A91748D51B02B176DDD9A3319EFDF82CCDA5AE5BE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD99F.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4664
Entropy (8bit):	4.457895924262997
Encrypted:	false
SSDEEP:	48:cvIwSD8zsHJgtWI9+oWSC8BK8fm8M4JuSP2Fvc+q8vzSPGbO34xld:uITfpFBSN1J8cK9y4xld
MD5:	3383DDF91EF8DC2E592534578AE9DD2F
SHA1:	FA4F39535F13F0382FAA86F5AE0E7C3280873DEA
SHA-256:	E1080315752584286EF03082F537B1F15E0CAB88A9305D3261406BE087ECE512
SHA-512:	A05E5E0987AC18D0060A7257217D3F8D7DB4BED108B675CD1B92218A321D0D11B0700CD3A7A09F3B623887D6AE1D68A53353705B081777FA43885ABEAC40F3E1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1110758" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC21.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 6 23:27:20 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	66810
Entropy (8bit):	2.235286940910227
Encrypted:	false
SSDEEP:	384:rYG1CFAsk9WAdaZVGwyBlecqgU0X5xdYZC8O8C:rYG8FkWwaZVGwyBldU0X58Jm
MD5:	74DB29D1BE562FE4711CFFC38B60B505
SHA1:	A057586D079616117B0351EE08442CE7E998F81D
SHA-256:	093B4AE497DABC4CA38BE6792338BDF824CAF8E73D6A216956FF1111807C2D9F
SHA-512:	267640E9FC9CD2665467FB6942A77A57A095CA023795BE00EA7163D065E16F18FD2BFA6809495DCF78FF34536B39E351BD5D8D40E2CD8A516035F4DC35D919CB
Malicious:	false
Preview:	MDMP....... .......X..a...................U...........B.......%......GenuineIntelW...........T.......@...M..a.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3C3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8352
Entropy (8bit):	3.708105977846853
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNirj646YgplSUWrs3gmfaSmCpBc89bVpXsfAPJm:RrlsNi/646YMSUWrs3gmfaSVVpcfwk
MD5:	FC1130635EA232B6885AF85258E42D07
SHA1:	D965503117D75D8AE2898A111BD0F2CA56EA7564
SHA-256:	12210517CD601E00D2028916B8D9E57D1285B87FDFAAD201D7671FBC9A388FBF
SHA-512:	547FE34D25EF5895721FA916CDB1353ECDBBBDB594B2EFA77443D956B2C6BBC59BD78E4D19D3A71C9E8E73CB86CEF3CCF3C16D69F64F14AB44CBFE74574EB177
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF76D.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.509079233047533
Encrypted:	false
SSDEEP:	48:cvIwSD8zsWJgtWI9+oWSC8Bp8fm8M4JuSyZFNP+q8d8UlbO34xld:uITfsFBSNoJgxQly4xld
MD5:	10E99EE4C8CF98ECBDBFFE7D2C970489
SHA1:	C3E44E7B41461B0D51561650174E84F83C4EECB7
SHA-256:	250040BB7342B571ED2B238A07B61479FCBDB65D1BFD0B8DF67D77F32296593C
SHA-512:	161BA5074107D351E41AD055840F2215CAEED3B3C33E6EF2661DC9FC7B2080F86E63CD3145CA735A07B64E4A6EB1757AD67476B709AB4B76BF2D01505DFCE914
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1110757" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.573661681226388
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	6v8QbANftP.exe
File size:	1908736
MD5:	d2d3438e61d5dcd688652f3f9a67acdf
SHA1:	e5ef89d044944987a23578ed102eb584f58371ae
SHA256:	67cd12a71d272aac15500b452bfc4c3228e0b7120ba75a19543257b7223b2ce0
SHA512:	05a9ee7e6d64a62abec568a05e2a615879f331d238e1cc2a1be24e86b7bcc8aa9c0ad1d047c98dd133985164fa8721e619743fe89093da42d5f29299f11b73ef
SSDEEP:	24576:XLRorZQmsbyIISwoMmJcCW+WCwcWiNFBtTMA2gdOjBpdo6AOldmf4kQ8Xi3Up5s7:X1OF9IIFEcelj7AA2dBpdoXumLrfy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.a.................P...........@.......`....@........................................................................

File Icon


Icon Hash:	d2c6c4c4ecc4ccf0

Static PE Info

General
Entrypoint:	0x574080
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x6106580E [Sun Aug 1 08:15:10 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c0368754e508c9f92c16810ccc9c68cc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 005766D0h
push 0057406Eh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [005763ACh]
pop ecx
or dword ptr [0118F000h], FFFFFFFFh
or dword ptr [0118F004h], FFFFFFFFh
call dword ptr [00576388h]
mov ecx, dword ptr [0118EFF0h]
mov dword ptr [eax], ecx
call dword ptr [005763B4h]
mov ecx, dword ptr [0118EFECh]
mov dword ptr [eax], ecx
mov eax, dword ptr [005763B8h]
mov eax, dword ptr [eax]
mov dword ptr [0118F008h], eax
call 00007F76A0C16BD5h
cmp dword ptr [00579030h], ebx
jne 00007F76A0C16ACEh
push 005741FCh
call dword ptr [005763BCh]
pop ecx
call 00007F76A0C16BA7h
push 0057900Ch
push 00579008h
call 00007F76A0C16B92h
mov eax, dword ptr [0118EFE8h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0118EFE4h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [005763A0h]
push 00579004h
push 00579000h
call 00007F76A0C16B5Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1766ec	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd94000	0x53d8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1766b8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x176000	0x69c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17413e	0x175000	False	0.935376042016	data	7.9131965055	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x176000	0x2a36	0x3000	False	0.358317057292	data	5.23691686275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x179000	0xc1600c	0x1000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0xd90000	0xc	0x1000	False	0.007080078125	data	0.0032818649698	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data1	0xd91000	0x288	0x1000	False	0.128173828125	data	1.41331134047	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0xd92000	0x1440	0x2000	False	0.49560546875	data	5.06261072581	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xd94000	0x53d8c	0x54000	False	0.244451613653	data	5.17905187938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0xd95078	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd95158	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd95238	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd95318	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd953d8	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd95498	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd95578	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd95638	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd95718	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0xd957d8	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xd958b8	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xda60e0	0xea8	data	English	United States
RT_ICON	0xda6f88	0x8a8	data	English	United States
RT_ICON	0xda7830	0x6c8	data	English	United States
RT_ICON	0xda7ef8	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xda8460	0x3b2f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xdabf90	0x25a8	data	English	United States
RT_ICON	0xdae538	0x10a8	data	English	United States
RT_ICON	0xdaf5e0	0x988	data	English	United States
RT_ICON	0xdaff68	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xdb03d0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xdc0bf8	0x25a8	data	English	United States
RT_ICON	0xdc31a0	0x10a8	data	English	United States
RT_ICON	0xdc4248	0x988	data	English	United States
RT_ICON	0xdc4bd0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xdc5038	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xdd5860	0x25a8	data	English	United States
RT_ICON	0xdd7e08	0x10a8	data	English	United States
RT_ICON	0xdd8eb0	0x988	data	English	United States
RT_ICON	0xdd9838	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0xdd9ca0	0x848	data
RT_STRING	0xdda4e8	0xa58	data
RT_STRING	0xddaf40	0x800	data
RT_STRING	0xddb740	0x300	data
RT_STRING	0xddba40	0x240	data
RT_STRING	0xddbc80	0x134	data
RT_STRING	0xddbdb4	0x134	data
RT_STRING	0xddbee8	0xe4	data
RT_STRING	0xddbfcc	0x360	data
RT_STRING	0xddc32c	0x524	data
RT_STRING	0xddc850	0x524	data
RT_STRING	0xddcd74	0xbc0	data
RT_STRING	0xddd934	0x6bc	data
RT_STRING	0xdddff0	0x2d4	data
RT_STRING	0xdde2c4	0x440	data
RT_STRING	0xdde704	0xff4	data
RT_STRING	0xddf6f8	0xa94	data
RT_STRING	0xde018c	0x9fc	data
RT_STRING	0xde0b88	0x918	data
RT_STRING	0xde14a0	0x6e8	data
RT_STRING	0xde1b88	0x3f0	data
RT_STRING	0xde1f78	0x430	data
RT_STRING	0xde23a8	0x34c	data
RT_STRING	0xde26f4	0x478	data
RT_STRING	0xde2b6c	0x380	data
RT_STRING	0xde2eec	0x3a4	data
RT_STRING	0xde3290	0x28c	data
RT_STRING	0xde351c	0x40c	data
RT_STRING	0xde3928	0x2c0	data
RT_STRING	0xde3be8	0x3f4	data
RT_STRING	0xde3fdc	0x9c	data
RT_STRING	0xde4078	0xf4	data
RT_STRING	0xde416c	0x148	data
RT_STRING	0xde42b4	0x410	data
RT_STRING	0xde46c4	0x3e4	data
RT_STRING	0xde4aa8	0x4b8	data
RT_STRING	0xde4f60	0x2bc	data
RT_STRING	0xde521c	0x3c8	data
RT_STRING	0xde55e4	0x650	data
RT_STRING	0xde5c34	0x490	data
RT_STRING	0xde60c4	0x388	data
RT_STRING	0xde644c	0x404	data
RT_STRING	0xde6850	0x240	data
RT_STRING	0xde6a90	0xb8	data
RT_STRING	0xde6b48	0xd0	data
RT_STRING	0xde6c18	0x330	data
RT_STRING	0xde6f48	0x4b0	data
RT_STRING	0xde73f8	0x36c	data
RT_STRING	0xde7764	0x2c4	data
RT_GROUP_ICON	0xde7a28	0x14	data	English	United States
RT_MANIFEST	0xde7a3c	0x350	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
MSACM32.dll	acmMetrics
MSVCRT.dll	__p__fmode, _except_handler3, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, _controlfp, __set_app_type, memset, __p__commode, _adjust_fdiv, __setusermatherr
COMCTL32.dll	ImageList_GetBkColor, InitializeFlatSB, ImageList_Write, ImageList_SetOverlayImage, ImageList_SetImageCount, ImageList_SetIconSize, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Replace, ImageList_Remove, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_DrawEx, ImageList_GetDragImage, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_GetImageInfo, ImageList_LoadImageW, ImageList_Read
VERSION.dll	VerQueryValueW
KERNEL32.dll	LoadLibraryA, LoadLibraryExW, LoadLibraryW, LoadResource, LeaveCriticalSection, LocalFileTimeToFileTime, LocalFree, LockResource, lstrcpynW, lstrlenW, MapViewOfFile, MoveFileW, MulDiv, MultiByteToWideChar, QueryDosDeviceW, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFile, RemoveDirectoryW, ResetEvent, ResumeThread, SetCurrentDirectoryW, SetEndOfFile, SetErrorMode, SetEvent, SetFileAttributesW, SetFilePointer, SetFileTime, SetLastError, SetThreadLocale, SetThreadPriority, SetVolumeLabelW, SizeofResource, Sleep, SleepEx, SuspendThread, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualQuery, VirtualQueryEx, WaitForMultipleObjectsEx, WaitForSingleObject, WideCharToMultiByte, WriteFile, IsValidCodePage, EnterCriticalSection, GetCommandLineA, GetSystemTimeAsFileTime, GetModuleHandleA, GetStartupInfoA, IsValidLocale, InterlockedExchangeAdd, InterlockedCompareExchange, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalMemoryStatus, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVolumeInformationW, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetTempFileNameW, GetSystemInfo, GetStringTypeExW, GetStringTypeExA, GetStdHandle, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLogicalDriveStringsW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetFileAttributesExW, GetExitCodeThread, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentProcessId, GetCurrentDirectoryW, GetCPInfoExW, GetComputerNameW, GetCommandLineW, GetACP, FreeResource, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToLocalFileTime, GetLocaleInfoW, ExitProcess, GetOEMCP, LocalAlloc
USER32.dll	KillTimer, LoadBitmapW, LoadCursorW, LoadIconW, LoadKeyboardLayoutW, LoadStringW, MapVirtualKeyW, MapWindowPoints, MsgWaitForMultipleObjectsEx, OemToCharA, OemToCharBuffA, OffsetRect, OpenClipboard, PeekMessageA, PeekMessageW, PostMessageW, PostQuitMessage, PtInRect, RedrawWindow, RegisterClassW, RegisterClipboardFormatW, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropW, ScreenToClient, ScrollWindow, SendMessageA, SendMessageW, SetActiveWindow, SetCapture, SetClassLongW, SetClipboardData, SetCursorPos, SetFocus, SetForegroundWindow, SetMenuItemInfoW, SetParent, SetPropW, SetRect, SetScrollInfo, SetScrollPos, SetScrollRange, SetTimer, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, ShowCaret, ShowOwnedPopups, ShowScrollBar, ShowWindow, SystemParametersInfoW, TrackPopupMenu, TranslateMDISysAccel, TranslateMessage, UnhookWindowsHookEx, UnregisterClassW, UpdateWindow, WaitMessage, WindowFromPoint, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRgn, InvalidateRect, InsertMenuW, InsertMenuItemW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetLastActivePopup, GetKeyNameTextW, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetClipboardData, GetClientRect, GetClassNameW, GetClassLongW, GetClassInfoW, GetClassInfoExW, GetCapture, GetActiveWindow, FrameRect, FindWindowW, FindWindowExW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextW, DrawTextExW, DrawMenuBar, DrawIconEx, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreateWindowExW, CreatePopupMenu, CreateMenu, CreateIcon, EmptyClipboard, GetKeyState, GetSysColor, GetCursorPos
GDI32.dll	GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDIBits, GetDIBColorTable, GetDeviceCaps, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetObjectW, GetPaletteEntries, LineTo, GetBitmapBits, MaskBlt, MoveToEx, PatBlt, Pie, PlayEnhMetaFile, PolyBezierTo, Polygon, Polyline, RealizePalette, Rectangle, RectVisible, ResizePalette, RestoreDC, RoundRect, GetWinMetaFileBits, SaveDC, SelectObject, SelectPalette, SetAbortProc, SetBkColor, SetBkMode, SetBrushOrgEx, SetDIBColorTable, SetDIBits, SetEnhMetaFileBits, SetMapMode, SetPixel, SetROP2, SetStretchBltMode, SetTextColor, SetViewportOrgEx, SetWindowOrgEx, SetWinMetaFileBits, StartDocW, StartPage, StretchBlt, StretchDIBits, UnrealizeObject, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, LPtoDP, EndDoc, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, IntersectClipRect
ADVAPI32.dll	RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryValueExA, RegQueryInfoKeyW, RegOpenKeyExW, RegUnLoadKeyW
ole32.dll	OleSetMenuDescriptor, OleDraw, OleUninitialize, ProgIDFromCLSID, StringFromCLSID, OleInitialize, OleRegEnumVerbs
OLEAUT32.dll	VariantInit, VariantCopyInd, SafeArrayPutElement, SafeArrayUnaccessData, SetErrorInfo, SysAllocStringLen, SysFreeString, SysReAllocStringLen, VariantChangeType, VariantClear, GetErrorInfo

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2021 16:28:00.469008923 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:00.488080025 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.488224983 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:00.488749027 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:00.507879019 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.516267061 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.516307116 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.516454935 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:00.524367094 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:00.543771982 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.543859005 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.544517040 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:00.561275959 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.561330080 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.561342955 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.561357021 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.830079079 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.830107927 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.830120087 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.830135107 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.830285072 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:00.830610037 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:00.848400116 CEST	443	49727	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:00.856100082 CEST	49727	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:01.054464102 CEST	49728	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:01.076653004 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.076832056 CEST	49728	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:01.077107906 CEST	49728	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:01.096609116 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.100225925 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.100277901 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.100400925 CEST	49728	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:01.107228041 CEST	49728	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:01.130251884 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.130392075 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.130749941 CEST	49728	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:01.151499033 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.191277027 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.191550016 CEST	49728	443	192.168.2.7	172.67.150.157
Aug 6, 2021 16:28:01.213037014 CEST	443	49728	172.67.150.157	192.168.2.7
Aug 6, 2021 16:28:01.213195086 CEST	49728	443	192.168.2.7	172.67.150.157

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2021 16:27:02.555526018 CEST	60501	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:02.584285021 CEST	53	60501	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:03.627583981 CEST	53775	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:03.656378984 CEST	53	53775	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:04.694755077 CEST	51837	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:04.723517895 CEST	53	51837	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:06.197499037 CEST	55411	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:06.240997076 CEST	53	55411	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:06.900752068 CEST	63668	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:06.933510065 CEST	53	63668	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:07.946070910 CEST	54640	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:07.978765965 CEST	53	54640	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:08.990540981 CEST	58739	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:09.020075083 CEST	53	58739	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:09.700903893 CEST	60338	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:09.729533911 CEST	53	60338	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:11.005259991 CEST	58717	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:11.037810087 CEST	53	58717	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:11.756496906 CEST	59762	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:11.783067942 CEST	53	59762	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:13.144382000 CEST	54329	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:13.173825979 CEST	53	54329	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:18.137051105 CEST	58052	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:18.169406891 CEST	53	58052	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:22.349517107 CEST	54008	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:22.375504971 CEST	53	54008	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:23.136261940 CEST	59451	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:23.161176920 CEST	53	59451	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:23.977864981 CEST	52914	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:24.013690948 CEST	53	52914	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:24.046950102 CEST	64569	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:24.074382067 CEST	53	64569	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:25.196602106 CEST	52816	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:25.225466967 CEST	53	52816	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:26.608381033 CEST	50781	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:26.643709898 CEST	53	50781	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:26.684978962 CEST	54230	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:26.717679977 CEST	53	54230	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:28.441884995 CEST	54911	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:28.475022078 CEST	53	54911	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:29.148345947 CEST	49958	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:29.179605961 CEST	53	49958	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:30.194349051 CEST	50860	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:30.225172997 CEST	53	50860	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:36.433078051 CEST	50452	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:36.470401049 CEST	53	50452	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:40.185641050 CEST	59730	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:40.211745024 CEST	53	59730	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:56.970288992 CEST	59310	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:57.004972935 CEST	53	59310	8.8.8.8	192.168.2.7
Aug 6, 2021 16:27:58.729558945 CEST	51919	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:27:58.755795956 CEST	53	51919	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:00.428356886 CEST	64296	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:00.467328072 CEST	53	64296	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:01.011660099 CEST	56680	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:01.048764944 CEST	53	56680	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:07.048788071 CEST	58820	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:07.124248981 CEST	53	58820	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:07.727798939 CEST	60983	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:07.760293961 CEST	53	60983	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:08.498694897 CEST	49247	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:08.572196960 CEST	53	49247	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:09.218595028 CEST	52286	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:09.251132965 CEST	53	52286	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:09.841500998 CEST	56064	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:09.877163887 CEST	53	56064	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:09.944124937 CEST	63744	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:09.986351013 CEST	53	63744	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:10.346194029 CEST	61457	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:10.374141932 CEST	53	61457	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:10.937396049 CEST	58367	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:10.974147081 CEST	53	58367	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:11.964181900 CEST	60599	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:11.996906996 CEST	53	60599	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:13.554069042 CEST	59571	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:13.589881897 CEST	53	59571	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:14.052850962 CEST	52689	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:14.085310936 CEST	53	52689	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:17.117254019 CEST	50290	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:17.150985956 CEST	53	50290	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:28.574734926 CEST	60427	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:28.603771925 CEST	53	60427	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:46.017838955 CEST	56209	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:46.060956955 CEST	53	56209	8.8.8.8	192.168.2.7
Aug 6, 2021 16:28:48.443761110 CEST	59582	53	192.168.2.7	8.8.8.8
Aug 6, 2021 16:28:48.482026100 CEST	53	59582	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 6, 2021 16:27:26.608381033 CEST	192.168.2.7	8.8.8.8	0x22dd	Standard query (0)	nikolakigreate.live	A (IP address)	IN (0x0001)
Aug 6, 2021 16:28:00.428356886 CEST	192.168.2.7	8.8.8.8	0xd145	Standard query (0)	nikolakigreate.live	A (IP address)	IN (0x0001)
Aug 6, 2021 16:28:01.011660099 CEST	192.168.2.7	8.8.8.8	0x3e1e	Standard query (0)	nikolakigreate.live	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 6, 2021 16:27:26.643709898 CEST	8.8.8.8	192.168.2.7	0x22dd	No error (0)	nikolakigreate.live	104.21.30.56	A (IP address)	IN (0x0001)
Aug 6, 2021 16:27:26.643709898 CEST	8.8.8.8	192.168.2.7	0x22dd	No error (0)	nikolakigreate.live	172.67.150.157	A (IP address)	IN (0x0001)
Aug 6, 2021 16:28:00.467328072 CEST	8.8.8.8	192.168.2.7	0xd145	No error (0)	nikolakigreate.live	172.67.150.157	A (IP address)	IN (0x0001)
Aug 6, 2021 16:28:00.467328072 CEST	8.8.8.8	192.168.2.7	0xd145	No error (0)	nikolakigreate.live	104.21.30.56	A (IP address)	IN (0x0001)
Aug 6, 2021 16:28:01.048764944 CEST	8.8.8.8	192.168.2.7	0x3e1e	No error (0)	nikolakigreate.live	172.67.150.157	A (IP address)	IN (0x0001)
Aug 6, 2021 16:28:01.048764944 CEST	8.8.8.8	192.168.2.7	0x3e1e	No error (0)	nikolakigreate.live	104.21.30.56	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 6, 2021 16:28:00.516307116 CEST	172.67.150.157	443	192.168.2.7	49727	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Oct 02 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Sat Oct 02 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-136-135-134-133-49202-49198-49194-49190-49167-49157-157-61-53-132-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-69-68-67-66-49201-49197-49193-49189-49166-49156-156-60-47-150-65-7-49169-49159-49164-49154-5-4-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-35-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2	fd80fa9c6120cdeea8520510f3c644ac
Aug 6, 2021 16:28:00.516307116 CEST	172.67.150.157	443	192.168.2.7	49727	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		fd80fa9c6120cdeea8520510f3c644ac
Aug 6, 2021 16:28:01.100277901 CEST	172.67.150.157	443	192.168.2.7	49728	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Oct 02 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Sat Oct 02 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-136-135-134-133-49202-49198-49194-49190-49167-49157-157-61-53-132-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-69-68-67-66-49201-49197-49193-49189-49166-49156-156-60-47-150-65-7-49169-49159-49164-49154-5-4-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-35-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2	fd80fa9c6120cdeea8520510f3c644ac
Aug 6, 2021 16:28:01.100277901 CEST	172.67.150.157	443	192.168.2.7	49728	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		fd80fa9c6120cdeea8520510f3c644ac

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 6v8QbANftP.exe PID: 576 Parent PID: 5672

General

Start time:	16:27:09
Start date:	06/08/2021
Path:	C:\Users\user\Desktop\6v8QbANftP.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\6v8QbANftP.exe'
Imagebase:	0x400000
File size:	1908736 bytes
MD5 hash:	D2D3438E61D5DCD688652F3F9A67ACDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 2220 Parent PID: 576

General

Start time:	16:27:16
Start date:	06/08/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 844
Imagebase:	0x11a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4744 Parent PID: 576

General

Start time:	16:27:30
Start date:	06/08/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 904
Imagebase:	0x11a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1528 Parent PID: 576

General

Start time:	16:27:48
Start date:	06/08/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1028
Imagebase:	0x11a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 1656 Parent PID: 576

General

Start time:	16:28:10
Start date:	06/08/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 1028
Imagebase:	0x11a0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 6v8QbANftP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior