Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522718
MD5:	6aecfc2ede0f22d0add919214de21a83
SHA1:	c2c87ef0d333c4c56cdc2dcb52fd4d7c4902b2ec
SHA256:	64aa700db7bb8d9f836e59ce259a47bce371dc0c60cba660ce51edef945d679d
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Found large amount of non-executed APIs

One or more processes crash

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.0% probability

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004093C8 FindFirstFileW,FindClose,	0_2_004093C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429570 FindFirstFileW,FindNextFileW,FindClose,	0_2_00429570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041E578 FindFirstFileW,FindClose,	0_2_0041E578
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408DFC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_00408DFC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DF90 FindFirstFileW,FindNextFileW,FindClose,GetLastError,	0_2_0041DF90

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe	String found in binary or memory: https://www.abyssmedia.com

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408090	0_2_00408090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CAC4	0_2_0042CAC4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040FCAC	0_2_0040FCAC

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 508

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1696205746.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename" vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal60.winEXE@3/6@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004151D0 GetDiskFreeSpaceW,

0_2_004151D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042EF38 FindResourceW,LoadResource,LockResource,SizeofResource,FreeResource,

0_2_0042EF38

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6644

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\49ad28af-b7ed-4263-8b81-3101fdabf7e2

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 508

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll			Jump to behavior

PE file contains sections with non-standard names

Source: file.exe

Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432310 push 004323ADh; ret	0_2_004323A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F0E0 push 0042F110h; ret	0_2_0042F108
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A9F0 push 0041AA3Eh; ret	0_2_0041AA36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004119F8 push ecx; mov dword ptr [esp], eax	0_2_004119FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041E184 push 0041E1C2h; ret	0_2_0041E1BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A2A8 push 0041A39Dh; ret	0_2_0041A395
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411ABC push ecx; mov dword ptr [esp], eax	0_2_00411ABE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042EB28 push 0042EB60h; ret	0_2_0042EB58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DBDC push ecx; mov dword ptr [esp], ecx	0_2_0042DBE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041744C push 004174CDh; ret	0_2_004174C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042B544 push 0042B592h; ret	0_2_0042B58A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004275FC push 0042775Fh; ret	0_2_004276DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004275FC push 0042775Fh; ret	0_2_00427757
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411DA8 push 00411DE0h; ret	0_2_00411DD8

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 7.3 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004093C8 FindFirstFileW,FindClose,	0_2_004093C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00429570 FindFirstFileW,FindNextFileW,FindClose,	0_2_00429570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041E578 FindFirstFileW,FindClose,	0_2_0041E578
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408DFC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	0_2_00408DFC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041DF90 FindFirstFileW,FindNextFileW,FindClose,GetLastError,	0_2_0041DF90

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00409C44 GetSystemInfo,

0_2_00409C44

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004056AC cpuid

0_2_004056AC

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	0_2_00409500
Source: C:\Users\user\Desktop\file.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetUserDefaultLCID,GetLocaleInfoW,GetUserDefaultLCID,GetTimeFormatW,	0_2_0041B8F0
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00419880
Source: C:\Users\user\Desktop\file.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004089A0
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00419A68
Source: C:\Users\user\Desktop\file.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetUserDefaultLCID,GetLocaleInfoW,GetUserDefaultLCID,GetDateFormatW,GetUserDefaultLCID,GetDateFormatW,GetUserDefaultLCID,GetDateFormatW,GetLastError,	0_2_0041B374
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00416CE4
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00416D30
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0041AD3C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041B8F0 GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetUserDefaultLCID,GetLocaleInfoW,GetUserDefaultLCID,GetTimeFormatW,

0_2_0041B8F0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040A8B6 GetVersionExW,

0_2_0040A8B6

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1522718
Product:	CloudBasic
Start time:	15:57:11
Start date:	30.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6aecfc2ede0f22d0add919214de21a83
SHA1:	c2c87ef0d333c4c56cdc2dcb52fd4d7c4902b2ec
SHA256:	64aa700db7bb8d9f836e59ce259a47bce371dc0c60cba660ce51edef945d679d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.53%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_71e4f97fcad7bd8af59197fe7fdb89b6f66cc6a_89969336_9d5f8a6b-4665-44cb-89ec-0ff41a3c22d9\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9A8F37BED9E0D1534555FACB5261FD8D	352030F9CF0AF0A1B9CF7B2C7D822C6B0BFEA5F3	FF59C87BA5217CAB39282508CBFB26EF492CD556CD65E0F7B02DC6323D624EA8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5517.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Sep 30 13:58:04 2024, 0x1205a4 type	6993E53FAD2C8694ADDD52A170291DCA	E255C3E55F3390413B1D3F7FB172F7AE24130A97	CE51CFC36F3AC132D29601E9AAC40EF74C329F5047F1A4686B2F5B58B1F8C0C0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5585.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A531809040B905FEFB23FBEFA9A2E208	8B839BFBEC0D4899AD98E521011F164275423412	D228E00BBE93DA19E797B0872089D3DD561E45772FFC097ACFB458573E2D8F4D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER55C5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7C5D100DCBC06AEE4B6364E25A98F08D	BA89B082D5556A159B7154DE3CAF25BE9DF07632	0C2A2958A076B746957038D660A61B6BB1FAAB6C06C90E387E9A17028CDFDE5E
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	647395672846865397B1707BCAF045E9	CD10C1592B1110D5457E3916DED3621089ACCA49	C6D0D2E18C11C86B6E17FFF3DB74EC687B693F8DF1F492E8DA47635AA1B6D98F
\Device\ConDrv	ASCII text, with CRLF line terminators	9D70D97D77237FF5E8E515812D35A794	B12CF9D743825BA7552E6530CD3284D268901D1E	E28851B7C00C0007E12E148A3669BDDBDA4F5436BA6D8F8CDBEF866F0FD639E3

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
file.exe