Edit tour

Windows Analysis Report
6CUj5MBggF.dll

Overview

General Information

Sample name:	6CUj5MBggF.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	27c0935a22862475bb3fd516f93bd466f8021f77727e83f53d67d76978b439ee.exe
Analysis ID:	1431870
MD5:	c73715e14f2de81195606feb4446e227
SHA1:	ab9708fcfc118edecced4facbab0f731174ba812
SHA256:	27c0935a22862475bb3fd516f93bd466f8021f77727e83f53d67d76978b439ee
Tags:	exewineloader
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample searches for specific file, try point organization specific fake files to the analysis machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

loaddll64.exe (PID: 3080 cmdline: loaddll64.exe "C:\Users\user\Desktop\6CUj5MBggF.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6516 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 5720 cmdline: rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 5020 cmdline: C:\Windows\system32\WerFault.exe -u -p 5720 -s 376 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

regsvr32.exe (PID: 5576 cmdline: regsvr32.exe /s C:\Users\user\Desktop\6CUj5MBggF.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

WerFault.exe (PID: 3608 cmdline: C:\Windows\system32\WerFault.exe -u -p 5576 -s 456 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 504 cmdline: rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzAddPropertyItem MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 3496 cmdline: C:\Windows\system32\WerFault.exe -u -p 504 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 5200 cmdline: rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzApplicationClose MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 1484 cmdline: C:\Windows\system32\WerFault.exe -u -p 5200 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 2664 cmdline: rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzApplicationCreate MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7132 cmdline: C:\Windows\system32\WerFault.exe -u -p 2664 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 1944 cmdline: C:\Windows\system32\WerFault.exe -u -p 3080 -s 412 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 6CUj5MBggF.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:	Binary string: azroles.pdb source: 6CUj5MBggF.dll
Source:	Binary string: azroles.pdbGCTL source: 6CUj5MBggF.dll

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_7ba62480-dbd8-40d1-aada-2d35fbba7c1b\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_5430187a20f1e1abcbbb987c41713fb407235ea_e29f7403_5a2d7340-ba07-41d0-a4cb-e403a198e059\	Jump to behavior

Source: Amcache.hve.11.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5576 -s 456

Source: 6CUj5MBggF.dll

Binary or memory string: OriginalFilenameazrolesj% vs 6CUj5MBggF.dll

Source: classification engine

Classification label: clean4.winDLL@20/25@0/0

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3080
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess504
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5200
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5720
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5576
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2664

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b87ee975-a052-4745-9907-b0fb5b84a700

Jump to behavior

Source: 6CUj5MBggF.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\6CUj5MBggF.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6CUj5MBggF.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzAddPropertyItem
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5576 -s 456
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 504 -s 344
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5720 -s 376
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzApplicationClose
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5200 -s 344
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzApplicationCreate
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2664 -s 344
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3080 -s 412
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6CUj5MBggF.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzAddPropertyItem	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzApplicationClose	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzApplicationCreate	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 6CUj5MBggF.dll

Static PE information: Image base 0x7ffb85240000 > 0x60000000

Source: 6CUj5MBggF.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6CUj5MBggF.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6CUj5MBggF.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6CUj5MBggF.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6CUj5MBggF.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6CUj5MBggF.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6CUj5MBggF.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: 6CUj5MBggF.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: azroles.pdb source: 6CUj5MBggF.dll
Source:	Binary string: azroles.pdbGCTL source: 6CUj5MBggF.dll

Source: 6CUj5MBggF.dll

Static PE information: real checksum: 0x9bdce should be: 0xb03d2

Source: 6CUj5MBggF.dll

Static PE information: section name: .didat

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6CUj5MBggF.dll

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_7ba62480-dbd8-40d1-aada-2d35fbba7c1b\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_5430187a20f1e1abcbbb987c41713fb407235ea_e29f7403_5a2d7340-ba07-41d0-a4cb-e403a198e059\	Jump to behavior

Source: Amcache.hve.11.dr	Binary or memory string: VMware
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.11.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.11.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1

Jump to behavior

Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.11.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Regsvr32	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Rundll32	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6CUj5MBggF.dll	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.11.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431870
Start date and time:	2024-04-25 22:11:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6CUj5MBggF.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	27c0935a22862475bb3fd516f93bd466f8021f77727e83f53d67d76978b439ee.exe
Detection:	CLEAN
Classification:	clean4.winDLL@20/25@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 6CUj5MBggF.dll

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_ad93cb228ab98f9ef5f4ec267a7cf3171f88dc4_606702e6_a7367550-730b-476e-8289-dfb0b98b2092\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7791484666119441
Encrypted:	false
SSDEEP:	96:5Uap6YsthNFK29dQXIDcQxc6GcEccw362v+HbHg/5tpOzOqg7TSAUovCa/b6mtA3:666Y70vCG0jUqzuiFbZ24lO81
MD5:	4CBBB318EB5CA98D20FB45B23FCB7FCF
SHA1:	4F0184D612F76E5BEDC0F078011A6E9551F6360A
SHA-256:	ED35BD5B1AEB7270B0ACD05BDAFF8219DBF1E8A0A4BE6FF49441CCE6E15235F5
SHA-512:	3FF6DA52BD2249A1E9C38F03D91CB7D417EB549797BB41238CB9D8EF3E02B4CF1355785638704443893572C077FA7B65F5F66A6AACA0288ECD9AC904A38D77C0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.1.9.6.0.5.2.3.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.3.6.7.5.5.0.-.7.3.0.b.-.4.7.6.e.-.8.2.8.9.-.d.f.b.0.b.9.8.b.2.0.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.5.5.7.e.b.d.-.9.b.d.4.-.4.1.c.2.-.a.b.b.7.-.7.0.3.4.8.f.0.0.3.f.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.0.8.-.0.0.0.1.-.0.0.1.5.-.5.f.9.5.-.c.0.c.e.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.e.1.f.7.3.2.2.5.e.8.c.2.3.3.1.b.8.d.3.7.3.d.3.f.9.1.a.c.4.2.0.0.0.0.f.f.f.f.!.0.0.0.0.f.2.3.2.e.0.d.e.c.d.5.4.8.8.5.2.f.a.6.0.8.9.e.1.9.5.4.3.1.b.7.3.e.9.4.e.d.0.b.d.!.l.o.a.d.d.l.l.6.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.1.5.:.0.8.:.2.3.:.4.0.!.0.!.l.o.a.d.d.l.l.6.4...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_5430187a20f1e1abcbbb987c41713fb407235ea_e29f7403_5a2d7340-ba07-41d0-a4cb-e403a198e059\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8452096553386604
Encrypted:	false
SSDEEP:	192:wlzcaES3lA0MsAWAjeTizuiFbZ24lO83:w5cTS3ZMsAWAjeWzuiFbY4lO83
MD5:	D85E1B0A1E23E94D8AC7DB48357AB1FA
SHA1:	960C3315B893B2BF5D573AD00A8E74A0A0EED5CB
SHA-256:	E282B575501E50BD24732F3F20B102727848215CC260DBD1DCE163BCEE8ECBEC
SHA-512:	1F13CB4E18E8FF33C7C03042B77653A80AB82F1B79EEA176909F83694FD5C1142CE5FE8DD3EE678FEFE2459BCEBEFF0B934CE8BE475DB849DBD2499533870641
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.1.0.9.0.6.9.6.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.a.2.d.7.3.4.0.-.b.a.0.7.-.4.1.d.0.-.a.4.c.b.-.e.4.0.3.a.1.9.8.e.0.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.c.a.e.b.8.d.-.f.e.a.3.-.4.8.2.8.-.b.7.8.f.-.d.e.7.1.2.e.e.e.4.8.6.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.8.-.0.0.0.1.-.0.0.1.5.-.d.7.7.f.-.c.e.c.e.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.d.7.c.2.f.d.3.5.4.3.6.3.d.a.e.e.6.3.e.8.f.5.9.1.e.c.5.2.f.a.5.d.0.e.2.3.f.6.f.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.7.3././.0.8././.3.1.:.0.4.:.1.3.:.5.4.!.7.1.9.6.!.r.e.g.s.v.r.3.2...e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_6292dada-936a-4b51-806b-5e354b1c75ee\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7972389372508134
Encrypted:	false
SSDEEP:	96:3MZNXiwkyKyVsj24RvFK29dQXIDcQIc64cEpcw3UUXaXz+HbHgSQgJjT5h88WpL/:8jiLyV5028zYKjnqzuiFbZ24lO8pe
MD5:	A828ECA1D4C97AB028C19102FB1DD001
SHA1:	183043FEAD53CF7776D347BDA37AEF1AE87C521E
SHA-256:	2673316DF539FCA5F52F3C20D73DCEE70FED11E17B361BDA0DAB6B3D100E0FBA
SHA-512:	31E9ABEABEF11CA11994CF9559BA5B18F6B066B61FB22E51EC7CBAE28BCB6A116AFE9156856349FDCBE32955259D6F4DE2E961352C4FAB8E81489E32E531BF0C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.1.0.9.4.9.8.6.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.9.2.d.a.d.a.-.9.3.6.a.-.4.b.5.1.-.8.0.6.b.-.5.e.3.5.4.b.1.c.7.5.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.b.8.7.6.6.f.-.b.0.8.c.-.4.c.5.5.-.9.2.6.f.-.2.f.4.9.e.3.4.f.7.d.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.C.U.j.5.M.B.g.g.F...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.f.8.-.0.0.0.1.-.0.0.1.5.-.b.c.0.8.-.d.0.c.e.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.1.0.3././.0.8././.0.7.:.2.2.:.5.3.:.3.1.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_7ba62480-dbd8-40d1-aada-2d35fbba7c1b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7972691314527894
Encrypted:	false
SSDEEP:	96:POXiTyKyksj24RvFK29dQXIDcQIc64cEpcw3UUXaXz+HbHgSQgJjT5h88WpLUov+:WiTyk5028zYKjvqzuiFbZ24lO8pe/
MD5:	659186F560224BD4B67273B4669A8A44
SHA1:	82D7C2BE360F41BECABD3BC80479CBF4AB0A140D
SHA-256:	FDEF42A161254E11E0F11147A5395CE3681422D50F1AB59BD2BFE47D719C4419
SHA-512:	20C57E8B77257BE1506C468605E517E90EEAA0B440620EF7482243C11A69CB18423DBFC508659EBCB4BFE928B6D3B736DE95195FC25C47C32E32F6DE7A841F14
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.1.1.0.6.2.5.8.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.a.6.2.4.8.0.-.d.b.d.8.-.4.0.d.1.-.a.a.d.a.-.2.d.3.5.f.b.b.a.7.c.1.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.9.0.d.d.7.2.-.5.2.e.8.-.4.8.5.2.-.a.c.8.8.-.1.2.1.d.0.b.2.5.c.3.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.C.U.j.5.M.B.g.g.F...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.5.8.-.0.0.0.1.-.0.0.1.5.-.b.d.e.6.-.c.f.c.e.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.1.0.3././.0.8././.0.7.:.2.2.:.5.3.:.3.1.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_979c50c0-29ee-4e52-a078-833371fa9173\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7972411003907368
Encrypted:	false
SSDEEP:	96:jbFLeXiyyKyKsj24RvFK29dQXIDcQIc64cEpcw3UUXaXz+HbHgSQgJjT5h88WpLw:MiyyK5028zYKjnqzuiFbZ24lO8pe
MD5:	24E1430C32CB393D78C313CCE94BE6E1
SHA1:	FE27BB51FB93F5BAC952F9E8173FCAE8C7E8FCE8
SHA-256:	2FDF822A9A42BB9F8EBA8BE9074EBAEB0CF8F9376252985A83556FC68CC4F57A
SHA-512:	97E6D1A7230A2B2DFD387B33A2956198E55A054407DD6A5997B37E29D2DA64075936872ED393F0560506B7F449B273A26C0007439643EF4B0C6BAE89ED9768FD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.1.3.5.8.9.8.7.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.7.9.c.5.0.c.0.-.2.9.e.e.-.4.e.5.2.-.a.0.7.8.-.8.3.3.3.7.1.f.a.9.1.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.4.d.e.d.f.d.-.a.2.d.9.-.4.f.6.7.-.b.d.4.d.-.1.3.d.3.8.7.6.3.b.0.6.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.C.U.j.5.M.B.g.g.F...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.0.-.0.0.0.1.-.0.0.1.5.-.f.9.c.7.-.9.c.d.0.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.1.0.3././.0.8././.0.7.:.2.2.:.5.3.:.3.1.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_d0849452-92c2-4bc5-8dd0-8d4c6d981e0c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7974896686169355
Encrypted:	false
SSDEEP:	96:cPhXiwUyKy2sj24RvFK29dQXIDcQIc64cEpcw3UUXaXz+HbHgSQgJjT5h88WpLUJ:4iwUy25028zYKjnqzuiFbZ24lO8pe
MD5:	A35FD2540097A39A2E61009E3BDFF655
SHA1:	FA6C190BB65ECE0C491D45F43D5912602F7F8B47
SHA-256:	BBA9F38F9B58ECD193E12DFCBB788020C253ACF89CF09C98A7BCFBF17F39C41F
SHA-512:	D4F848E69C506FF7B6E9B9C1C7C2E30C037A7184C0016352EA34CCBC8DA6A97294641CD4FC9C3B05515C05BAAB530E126E32C15431DD0E7C451978C835655901
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.9.5.1.6.5.7.8.6.7.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.8.4.9.4.5.2.-.9.2.c.2.-.4.b.c.5.-.8.d.d.0.-.8.d.4.c.6.d.9.8.1.e.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.b.7.3.6.8.4.-.d.3.0.7.-.4.3.1.c.-.8.1.b.3.-.f.b.4.b.2.a.2.7.0.a.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.C.U.j.5.M.B.g.g.F...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.6.8.-.0.0.0.1.-.0.0.1.5.-.7.1.f.3.-.6.8.d.2.4.c.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.1.0.3././.0.8././.0.7.:.2.2.:.5.3.:.3.1.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66A5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:11:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	60658
Entropy (8bit):	1.7609389412816432
Encrypted:	false
SSDEEP:	192:i6lzvXJChxNCbOMjMppBSQnc6iwkVpFnfVx8xG0122:NltoxNx2MppBS8c9Vzf8xG0
MD5:	E115E3A493007B586A0D28B17B0A0287
SHA1:	F3FFA06FBB950831AFD80DB133684E3A09739716
SHA-256:	5DBDD35DCD4CADD064076FD65FB9232E97F5B36838004CD830B0743EE9BF9C5A
SHA-512:	BDDDCDDE7D0ED0D1F1845A53882DFA9F064283D1CA8EF7C68377D16FB52EF4CF1FC33A419D57F322AC54246462DB17E42CF5EE5ACA4040B5749B342E8908FB13
Malicious:	false
Preview:	MDMP..a..... .........f........................................D,..........T.......8...........T...........................p...........\...............................................................................eJ..............Lw......................T.............f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66B5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:11:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	64770
Entropy (8bit):	1.8261349331939345
Encrypted:	false
SSDEEP:	192:iaiRIqXZYhAeXO50FMEpW29MZEnXNVxRd0+yDi5H5:Obun+50FMEpt9GEnXNE9Dy
MD5:	00946520E526398B4216318AC7ADE596
SHA1:	F1E6639CC35BFE7334C0D5CB5C26007B5CBF765E
SHA-256:	E6D3D94843371E356CFF10E1860A14DC700242B1CC4BED03EB4B4B5FC47BB636
SHA-512:	1FEB461E102D6AF8BC4AA3F16107B2340BE3A146C72F8F4555F39A40FCDF95E20828DE22D2539E06138286F8264C5481664F181BDF95829A0F9D4ED6BECCF9A7
Malicious:	false
Preview:	MDMP..a..... .........f....................................4....0..........T.......8...........T...........................d...........P...............................................................................eJ..............Lw......................T.............f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6751.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:11:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	70566
Entropy (8bit):	1.6444969371666442
Encrypted:	false
SSDEEP:	192:i/xrXhSh8OMQM6o8RtFV9C/VxEcGFp4J/aEq3gpX8F6uR6w:0z4zxM6o8RfVwEcGFp4J/aEq3g98F6W
MD5:	FC3B7E842A1F2E0399DE37E8B7D9ECBD
SHA1:	C7ABA33170FB9C4A2F9DC382B2680C71AADF6206
SHA-256:	53D31BA70313A6A7E6678ED57671C458A154FBCDC14427D198E78148A22F34AC
SHA-512:	D630E6649F105FDCAE4A2E0D49C4668A34A21D3034AC15B8273A2BB3B021B6419C42DE5FA2CB10C2FBACF2A4DE0FD14EBF110316D57CF129AB4192C6D9C7D007
Malicious:	false
Preview:	MDMP..a..... .........f....................................4...D1..........T.......8...........T...........H...^.......................................................................................................eJ......$.......Lw......................T.......X.....f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6762.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8520
Entropy (8bit):	3.703604032462055
Encrypted:	false
SSDEEP:	192:R6l7wVeJnMA2xX6YCw30LgmfOS3RDpBZ89bz24f/xm:R6lXJb2xX6YFYgmfOS3RKzBf0
MD5:	96AF4C451511735BC130BB110366A198
SHA1:	A663CFE431239EDC47B9910505CFAB582B8AAD6D
SHA-256:	226E71DCB22AFCE79908EF72E70165E3A973E46DC72320FE1B58DC321997621C
SHA-512:	BCAD3E857F31049A1B2B5787BC73B0441FE9CED3CD0322938EE00087C8614DEAACC609FB1086129AF5384306107C77EDA6625C286F76FFDDF9A1E7D2DA26F151
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.4.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67BF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8686
Entropy (8bit):	3.6992463896231493
Encrypted:	false
SSDEEP:	192:R6l7wVeJm1IB6YCE30LgmfJE3aPdpB089bz0UfWDxm:R6lXJke6YxYgmfJE3wjzvfW4
MD5:	A976C9B6FCE9EDBBD97104A5A2F9F41C
SHA1:	E24F52D5CDB9264375E18798A155673B5EC7D51B
SHA-256:	1EE7A32246AF7588E5FE6685B9A649127DD44EF8C2B556F8E21AFC67CDD5537C
SHA-512:	B1F190D629DDF8DEB78C9CE7D027FF0832FA58166D214A19B5D7884165E0CB453B03D817A0987740572754F0988DF04CE3D26C0B3F6018D72A3CD0FEC9F42DDD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67EF.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4767
Entropy (8bit):	4.506357700050959
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg771I9dGnWpW8VYOYm8M4JChYsChYKpHKFiyq85mhYIegr2ptSTS6:uIjfDI7mL7V2JbRO/poO0d
MD5:	A10692FE233C32227BD37507BCE1A143
SHA1:	FBB3799F58A9568FD07B7C1A1D38906F7593C319
SHA-256:	40191B9AD0D54A162359B53EE0D608AAB4DC7A578F1EBFF15BE8C22BEEB55813
SHA-512:	87FA76250952A053F0C7351FEB93F77FD60C54E271BE1DF74D2E221EF68EA065841E1084688B837A399CCC59EC86C58AD0AF2CDDF4A8CB7B0AA8EF6DD272C571
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295874" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER680D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8728
Entropy (8bit):	3.7076958087477263
Encrypted:	false
SSDEEP:	192:R6l7wVeJVKbxG56Y32I0gmfOS3RDpBu89bzmUfRxm:R6lXJ4bxA6YGjgmfOS3R7zNf2
MD5:	5717C2AA44148C300B61C715B3128646
SHA1:	6C9531C3C8075D64BF634CD306D79DCF3D48EC95
SHA-256:	71980F9C6DC3EC682AB9E4D52CAA3537A421A1BE5917DCB56525C6A60923DD55
SHA-512:	82FFE57855B42B2CEF2C944A64F784C20FE416C7AB9154D4304FE8CD293C64CBA7FDB36816A073BE1630BFDFE654F0F1E52881938EE8FB9A8CFE96A3D69C575D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER682E.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4767
Entropy (8bit):	4.5052476800733485
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg771I9dGnWpW8VYIYm8M4JChYsChYKpHKFsyq85mhYIegbP2ptSTa:uIjfDI7mL7VUJbLOmepoOy6d
MD5:	A76BB75B2C8CAC9B77529A1801968A9B
SHA1:	F6D9D9A67F5F8845FA3EF97A5877F5EF8222A769
SHA-256:	AB55965FDF664B30FF5BF4C55BD4D1FA6B7FB1B2E3ECB54FC8B0887001575592
SHA-512:	070C398CE637953688F0282989DD1789D94645E65B56A47A84320995BE176027CF71851D19DD72830F4656528349B01876536D8159018DA723D78C00EAEC8C52
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295874" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER683D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4717
Entropy (8bit):	4.469271871678562
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg771I9dGnWpW8VYmYm8M4JPNpHKFCzyq85TBegO2fsZgd:uIjfDI7mL7ViJPP1zIU2fsZgd
MD5:	A22FCFEA3F154427FC746D7B7394A01E
SHA1:	AEAE4C68F7151A0E1F4414FFD442DAB7B4EB7FDF
SHA-256:	C90C06CC0ACF8E8095ECE7C0A3835AB2CD7ABEE489AC7E888F6534D9CAFEC430
SHA-512:	322D0ACE88B22BEA3C8589DFC8AE0592C8FECCE9F47AE1C5BD324DE8D5ED768BF3662AB239D24989203EAE3297FF64303A2AA15EAF058228112E750CE0873D9A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295874" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7105.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:11:53 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	59074
Entropy (8bit):	1.797773140056906
Encrypted:	false
SSDEEP:	192:U8lHvXJChzOMGdlMXyVW5M0zbg4SLVxcPXXBlulNpua6ATjtlO:RlBoq9dlMXyVWy6XBlu4a6ATjtQ
MD5:	1EBD2547DFC0466724FB90AF2669B583
SHA1:	5FD8A5074F48C852C0ADF19EFFB94735F9C23D4B
SHA-256:	5DCFE6758A663964069D65FB3660A2DF71E2149B1D628B44B27FDA5DF73FA9BF
SHA-512:	9BC6D1277B38BF540D8EC8C2AA6FA7F2E2D2027F2290E2F95C4B5931051C513F5D5C3E0326AA1FF586469D78CC4A51AD1FE8007A7A0F0864A1DF8C2E796899E3
Malicious:	false
Preview:	MDMP..a..... .........f........................................D,..........T.......8...........T...........................p...........\...............................................................................eJ..............Lw......................T.......P.....f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7183.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8526
Entropy (8bit):	3.702939105414438
Encrypted:	false
SSDEEP:	192:R6l7wVeJKj3xB6YCg30LgmfOS3RDpBRC89bBv4fiLm:R6lXJ+3xB6YdYgmfOS3RF7Bwf3
MD5:	C12A4C3243364B34D0983A84CEFABCC2
SHA1:	D006D6F1CBFF6F4DFCAC062E3D7483A94B6D0028
SHA-256:	8427A6C2B5451E07BEF37B6D725C1C9EFE9940DA028F52D6755249102ABC814F
SHA-512:	9D603962B844C828F7D7BC6B9407F0C091D085A9E750D88C722D953E57C836EEA0DABCC221C738292C16F4D05D36202E7B24D015A22CFA1D9D583EC186264B8D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71B3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4767
Entropy (8bit):	4.505965071777019
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg771I9dGnWpW8VYuYm8M4JChYsChYKpHKFlzyq85mhYIegpdptST+:uIjfDI7mL7VeJbqO6poOnd
MD5:	44E0444D9478D9304E99C1A80A1A3EDF
SHA1:	2AEF55C7B8187DB10DC3DE26938249051C4FECC7
SHA-256:	67767CF2C4EB975447284288F742A393D97969C3F5125E0C15CDDEAB05DD3069
SHA-512:	BE168F4E76CC4B45D3B1166C361C559BF9D9B7DC80447698FFCFB5B56A21F0BFBB41306E44812C30E1216575CB4EA54F9696D3372E03E326DD7497C239067F1E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295874" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 20:11:56 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	71442
Entropy (8bit):	1.6261314152737159
Encrypted:	false
SSDEEP:	192:NHlrXpyhyOMnAMQ+a1QpVx3UlGpjgOJVlwxPmT/HM:ZXYNiAMQ+a1iklG2YVlwxPmT
MD5:	A63BC674DA49EA35C803C2C44E4DF3EF
SHA1:	17714F23E34556669D5E73F2158DCCBE03A197BD
SHA-256:	BCCEAA15EB4AFC7DD627695D64D6D8D98FAFDA3B939C438BB19E3A53AF11665F
SHA-512:	CFBA76F469BDC334026F3F18E264122F4310770616E5E992EAB37872D6435E7E5D135975EB517C8CA7E8EACA685EE1964B67DCFFB6A142470CBA06000326B8F3
Malicious:	false
Preview:	MDMP..a..... .........f....................................D...D1..........T.......8...........T.......................................................................................................................eJ......$.......Lw......................T.......h.....f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CED.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8524
Entropy (8bit):	3.704261571491055
Encrypted:	false
SSDEEP:	192:R6l7wVeJLj8xY56YCk30LgmfOS3RDpBK89bcq4fKUm:R6lXJf8xW6YJYgmfOS3Rfctf4
MD5:	AE872DE9A71245806E74F955909C190A
SHA1:	40D1236AA258B0490A509B85ABC32E7C88A0F4BF
SHA-256:	00213CA53DE1F8EF2B0C45765DBE72B3AEED7A9AB1449284748A3B1FEFB8596C
SHA-512:	354C45EC6FBA553CA1A1E0AD7213350E9848FBDCEB50C21EB9D26D7CCC5C5D2340DFA8B721E720EE8D760C0FE38182A03382F856AB7592D8AAF78A1EE99F19D7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D4C.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4767
Entropy (8bit):	4.506964592909788
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg771I9dGnWpW8VYxb0Ym8M4JChYsChYKpHKF8yq85mhYIegCptSTC:uIjfDI7mL7VyJbLOHpoOrd
MD5:	A0792D5A0403322F9B734CC0CD42A591
SHA1:	6EAF0E4C5898397AA91B4040206D7782249B8E1B
SHA-256:	34B8CD57C4B9EEEEED13E60104B3F68E6CFCF24240908663DFF25E7C182636E5
SHA-512:	0455F53E266EE70AAD903D347CF3BB63C33E2591A44BFD45ECADF7117257F65FB964EBB3B2F978F5B261F3CADA0E8984869A16774C4788EAE40B1989F4022F67
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295874" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8885.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Apr 25 20:11:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	61888
Entropy (8bit):	1.7981789680093967
Encrypted:	false
SSDEEP:	384:/RefNFzdMButtvwwI0l2/EWL39HbJJJxY40XKGgfV:EFFz/Nwh/LJPfV
MD5:	E45496FF1320799B3139769EB5F69D3A
SHA1:	40F73EEB7219B3D8B4B98C20FEC77FC52B83127F
SHA-256:	572141AE832D5D0972C5FE9E227423443BACD88DA488D631A53E5E72AD07D9C9
SHA-512:	95DCD38F37A542709F585B3EACF672088A85A41E70267BA12CD039C448CD852AA01DDAE282A54D4DB2C8C7EFE994657219F9990DD8C17AD96A97639D67D59FA7
Malicious:	false
Preview:	MDMP..a..... .........f........................h...........$................,..........`.......8...........T...........H...x...........4........... ...............................................................................eJ..............Lw......................T.............f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88C4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8540
Entropy (8bit):	3.7011743717592376
Encrypted:	false
SSDEEP:	192:R6l7wVeJCOC86Y2DgLA4XFHgmfh3WXpBw89b75wf0JJm:R6lXJDX6YNLAuFHgmfh3C7ufz
MD5:	243EF54054095930590D42A6DBBF3060
SHA1:	350E5A02CDEC9D5643287100BE528A4D59ACD74A
SHA-256:	5196286A492CE795B3C2BFEDDA160F069DA6A6A29E787FF0CD3C9615E6EF2013
SHA-512:	4071B528FE0AB1A44A689CA6B9149EEFBBF0EE531D308B225B186A98163CC65DD5BE787E1808D832C572480BF89E0E7D6C0512219C592C9003FD5BDF5CEE7B4C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8904.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4646
Entropy (8bit):	4.454493282682714
Encrypted:	false
SSDEEP:	48:cvIwWl8zsxJg771I9dGnWpW8VYeYm8M4J8pHKFwqyq85Yegtw2FV1xUd:uIjfDI7mL7VGJkpqAqF7xUd
MD5:	7B95D693ABFBEED697DEF5A7206CC277
SHA1:	DEA7F96CE715C2B7E72D0A989D1311B08FB09782
SHA-256:	C9B00A1BA5DDAEE1A25D096AA6AFB662D7EEB1A1479F4C18E1AFEB040B055953
SHA-512:	748129BFA44B11C249BD4AF912E74D0CB8C30CAD55F544699CBAF4637FE8CCB8243B9A5D935AA7CC42E014F3F1493EE32AF7984A7F4B46635E549708215FAC0C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295874" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.475531652370838
Encrypted:	false
SSDEEP:	6144:/zZfpi6ceLPx9skLmb0fVZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:rZHtVZWOKnMM6bFplj4
MD5:	E985999855C002D225BDFFAD3BDBCBD7
SHA1:	5EFBF591527B5F5BC392B07487EAB23989A4C63B
SHA-256:	4A90607C6CF16CFA2CDF627D1C8BFA0A67B36C36ED789170A2284D5840780F03
SHA-512:	DC19163DBBEFC7C8D895EBB3CC0637B95EDE8DD61DCDDFDA47DFBE7E3909D9DF7D98D66C8CA5A1CD6D7842BBD79A2A2B874A1968450F3257A88A0D62008022B1
Malicious:	false
Preview:	regfK...K....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.L..L...............................................................................................................................................................................................................................................................................................................................................\...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	6.0626097554306275
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	6CUj5MBggF.dll
File size:	663'552 bytes
MD5:	c73715e14f2de81195606feb4446e227
SHA1:	ab9708fcfc118edecced4facbab0f731174ba812
SHA256:	27c0935a22862475bb3fd516f93bd466f8021f77727e83f53d67d76978b439ee
SHA512:	cff44b75d487fdf1dfea3b7431c94c13540762896a65350aee239062aa0012227411eb30b1005feacfe5f71b4335fb9991c52ae0d6dce708e0dc62f562c3302c
SSDEEP:	12288:gH+t7TZlZpmbB6InNHAqVio+4XbYVBx1b+i:VfbpwdgqVi94XbY7b+i
TLSH:	E4E44C2E73E94472D066D13AC6578322F6B1B0682B5192DF5254C33D5F2BEE82F39B24
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.y..o...o...o.......o.......o...o..}n.......o.......o.......o......'o.......o.......o..Rich.o..........................PE..d..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x7ffb8529f1f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x7ffb85240000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0x4DB39C95 [Sun Apr 24 03:44:21 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	48030dc79fb33b4639f06d7d8da0de6e

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F19C5243777h
call 00007F19C5244418h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F19C524377Ch
int3
int3
int3
int3
int3
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+20h], ebx
dec esp
mov dword ptr [eax+18h], eax
mov dword ptr [eax+10h], edx
dec eax
mov dword ptr [eax+08h], ecx
push esi
push edi
inc ecx
push esi
dec eax
sub esp, 00000150h
mov edi, edx
dec esp
mov esi, ecx
mov esi, 00000001h
mov ebx, esi
mov dword ptr [esp+20h], ebx
cmp edx, esi
jnbe 00007F19C5243778h
mov dword ptr [0002C6ADh], edx
test edx, edx
jne 00007F19C5243785h
cmp dword ptr [0002D22Bh], edx
jne 00007F19C524377Dh
xor ebx, ebx
mov dword ptr [esp+20h], ebx
jmp 00007F19C524394Fh
lea eax, dword ptr [edx-01h]
cmp eax, esi
ja 00007F19C5243806h
dec esp
mov ecx, dword ptr [0002DC64h]
dec ebp
test ecx, ecx
je 00007F19C52437B4h
mov eax, dword ptr [0002D205h]
cmp edx, esi
cmove eax, esi
mov dword ptr [0002D1FAh], eax
dec esp
mov eax, dword ptr [esp+00000180h]
dec ecx
mov eax, ecx
call dword ptr [00000025h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x85f40	0x4bc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1000	0x104	.reloc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x93000	0xb608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x8d000	0x41f4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9f000	0x12ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7f5c0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x67008	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x66ef0	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x67030	0x9a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x858d8	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x611fc	0x61200	f68e57600a5efecf15ed35307cf45707	False	0.46335565476190477	dBase III DBT, version number 0, next free block index 120000, 1st item "\216:\320/\033\220\335\333\340\004\215\0011\305\376\370\261%5"<.\2148\321b"	6.236240121345617	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x63000	0x252cc	0x25400	516d6be1259b6e9d6161b6eb41a9be2a	False	0.27569866820469796	data	5.431124887263653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x89000	0x3fa0	0x3fa0	9ce11cfbc07a63a79ce9a68608f1d020	False	0.16914292730844793	data	2.473794296864802	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x8d000	0x41f4	0x4200	15676f3535af7f37644c4e85aec067b1	False	0.5033735795454546	PEX Binary Archive	5.730919091637771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x92000	0x1c8	0x200	826e2b422d288983118404ea431bd8ca	False	0.326171875	data	3.1371354558253555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x93000	0xb608	0xb800	3df83834486312970c95c4de3d17643e	False	0.3156632133152174	data	4.794316296192569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9f000	0x3000	0x3000	209af3aea24749a01c14c96e1300b396	False	0.138427734375	data	3.1132633479063445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MUI	0x9e510	0xf8	data	English	United States	0.5806451612903226
TYPELIB	0x93480	0xb090	data	English	United States	0.3152433628318584
RT_VERSION	0x93100	0x37c	data	English	United States	0.4585201793721973

Imports

DLL	Import
msvcrt.dll	_unlock, _lock, realloc, _errno, ??1type_info@@UEAA@XZ, ?terminate@@YAXXZ, _initterm, _amsg_exit, _XcptFilter, _CxxThrowException, _callnewh, ??0exception@@QEAA@AEBQEBDH@Z, _wtoi64, wcstol, iswxdigit, towlower, wcsstr, _wcsupr, bsearch, qsort, _wcsnicmp, _wtol, wcsncmp, iswspace, wcspbrk, wcschr, ldiv, strrchr, ??0exception@@QEAA@XZ, memmove_s, ??0exception@@QEAA@AEBQEBD@Z, ??1exception@@UEAA@XZ, ?what@exception@@UEBAPEBDXZ, ??0exception@@QEAA@AEBV0@@Z, _vsnprintf, _purecall, wcscat_s, wcscpy_s, memcpy_s, free, malloc, wcsncpy_s, __C_specific_handler, _wcsicmp, wcsrchr, _vsnwprintf, __dllonexit, _onexit, memmove, memcpy, memcmp, wcscmp, memset, swscanf, srand, __CxxFrameHandler3
ntdll.dll	RtlCopySid, RtlLengthSid, RtlNtStatusToDosError, NtAllocateLocallyUniqueId, RtlDeleteResource, RtlInitializeResource, RtlAcquireResourceExclusive, RtlReleaseResource, RtlAcquireResourceShared, RtlIdentifierAuthoritySid, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlValidSecurityDescriptor, RtlValidSid, RtlNumberGenericTableElementsAvl, RtlEnumerateGenericTableAvl, NtClose, RtlFreeHeap, NtCreateFile, RtlDosPathNameToNtPathName_U, RtlInitUnicodeString, RtlLookupElementGenericTableAvl, RtlDeleteElementGenericTableAvl, RtlInsertElementGenericTableAvl, RtlEqualSid, RtlInitString, RtlImageNtHeader, RtlDeleteCriticalSection, RtlEnterCriticalSection, RtlConvertExclusiveToShared, RtlInitializeCriticalSection, RtlLeaveCriticalSection, RtlConvertSharedToExclusive, RtlInitializeGenericTableAvl
USER32.dll	UnregisterClassA, CharUpperW, CharNextW
KERNEL32.dll	ResolveDelayLoadedAPI, SetThreadStackGuarantee, LoadLibraryW, GetSystemInfo, DelayLoadFailureHook, VirtualQuery, VirtualProtect, WakeAllConditionVariable, VirtualAlloc, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, OutputDebugStringA, GetTickCount, GetCurrentThreadId, QueryPerformanceCounter, CreateFileW, GetLastError, CloseHandle, MultiByteToWideChar, FindResourceW, SizeofResource, LoadResource, LockResource, FreeLibrary, GetProcAddress, LoadLibraryExW, GetModuleHandleW, lstrcmpiW, LeaveCriticalSection, RaiseException, EnterCriticalSection, FindResourceExW, GetModuleFileNameW, InitializeCriticalSection, DeleteCriticalSection, DisableThreadLibraryCalls, WideCharToMultiByte, LocalAlloc, LocalFree, GetEnvironmentVariableW, CreateDirectoryW, GetCurrentProcessId, WriteFile, GetLocalTime, GetVersionExW, CreateTimerQueue, DeleteTimerQueueEx, CreateTimerQueueTimer, DeleteTimerQueueTimer, GetCurrentThread, GetCurrentProcess, GetComputerNameW, GetSystemTimeAsFileTime, GetFileAttributesW, GetVolumeInformationW, GetFileAttributesExW, CompareFileTime, DeleteFileW, GetFullPathNameW, TerminateProcess, SetLastError, CompareStringW, FormatMessageW, Sleep, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SleepConditionVariableSRW
ole32.dll	CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, StringFromGUID2, CLSIDFromString, CoInitializeEx, CoUninitialize, CLSIDFromProgID, StringFromCLSID, CoCreateInstance
OLEAUT32.dll	LoadRegTypeLib, SysAllocString, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, VariantInit, SafeArrayCreate, VariantClear, SafeArrayPutElement, SysStringLen, VariantCopy, SysStringByteLen, SysAllocStringByteLen, VarBstrCmp, VarCmp, SafeArrayGetElement, SafeArrayGetLBound, SafeArrayGetUBound, SysAllocStringLen, SafeArrayGetDim, RegisterTypeLib, VarUI4FromStr, SysFreeString, LoadTypeLib, SafeArrayGetVartype, VariantChangeType
ADVAPI32.dll	CreateWellKnownSid, LsaNtStatusToWinError, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegCloseKey, RegQueryInfoKeyW, RegEnumKeyExW, RegOpenKeyExW, RegSetValueExW, RegCreateKeyExW, PerfCreateInstance, PerfSetCounterRefValue, PerfSetCounterSetInfo, PerfStartProvider, PerfStopProvider, RegDeleteValueW, LookupAccountNameW, LookupAccountSidW, ConvertSidToStringSidW, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptAcquireContextW, CryptReleaseContext, MakeSelfRelativeSD, AdjustTokenPrivileges, SetSecurityDescriptorSacl, AddAuditAccessAceEx, AddAccessAllowedObjectAce, AddAccessAllowedAceEx, IsValidSid, GetAce, GetAclInformation, GetSecurityDescriptorLength, SetNamedSecurityInfoW, GetSecurityDescriptorDacl, GetSecurityDescriptorSacl, GetNamedSecurityInfoW, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, CopySid, DuplicateTokenEx, OpenProcessToken, EqualDomainSid, SetThreadToken, OpenThreadToken, GetTokenInformation, GetLengthSid, RegQueryValueExW, ConvertStringSidToSidW, LsaOpenPolicy
AUTHZ.dll	AuthziInitializeAuditEventType, AuthziAllocateAuditParams, AuthziInitializeAuditParamsWithRM, AuthziInitializeAuditEvent, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthziFreeAuditParams, AuthzAccessCheck, AuthzInitializeContextFromSid, AuthzInitializeContextFromToken, AuthzAddSidsToContext, AuthzGetInformationFromContext, AuthzFreeContext, AuthziFreeAuditEventType, AuthzFreeResourceManager, AuthzInitializeResourceManager
RPCRT4.dll	RpcStringFreeA, UuidCreate, RpcStringFreeW, UuidToStringW, UuidToStringA, UuidFromStringW
DSPARSE.dll	DsQuoteRdnValueW
NTDSAPI.dll	DsBindW, DsCrackNamesW, DsUnBindW, DsFreeNameResultW
ODBC32.dll

Exports

Name	Ordinal	Address
AzAddPropertyItem	1	0x7ffb85279110
AzApplicationClose	2	0x7ffb852680b0
AzApplicationCreate	3	0x7ffb85267fa0
AzApplicationDelete	4	0x7ffb85268280
AzApplicationEnum	5	0x7ffb85268250
AzApplicationOpen	6	0x7ffb85267fe0
AzAuthorizationStoreDelete	7	0x7ffb85265de0
AzCloseHandle	8	0x7ffb85265e90
AzContextAccessCheck	9	0x7ffb852720f0
AzContextGetAssignedScopesPage	10	0x7ffb852731e0
AzContextGetRoles	11	0x7ffb85274550
AzFreeMemory	12	0x7ffb85266010
AzGetProperty	13	0x7ffb85265db0
AzGroupCreate	14	0x7ffb8527c660
AzGroupDelete	15	0x7ffb8527c880
AzGroupEnum	16	0x7ffb8527c7c0
AzGroupOpen	17	0x7ffb8527c710
AzInitialize	18	0x7ffb85265750
AzInitializeContextFromName	19	0x7ffb85271480
AzInitializeContextFromToken	20	0x7ffb85270eb0
AzOperationCreate	21	0x7ffb8528ab70
AzOperationDelete	22	0x7ffb8528ac20
AzOperationEnum	23	0x7ffb8528abf0
AzOperationOpen	24	0x7ffb8528abb0
AzRemovePropertyItem	25	0x7ffb852794e0
AzRoleCreate	26	0x7ffb8527cd20
AzRoleDelete	27	0x7ffb8527cf00
AzRoleEnum	28	0x7ffb8527ce60
AzRoleOpen	29	0x7ffb8527cdc0
AzScopeCreate	30	0x7ffb852893a0
AzScopeDelete	31	0x7ffb852894b0
AzScopeEnum	32	0x7ffb85289480
AzScopeOpen	33	0x7ffb852893e0
AzSetProperty	34	0x7ffb85265dd0
AzSubmit	35	0x7ffb8528ca00
AzTaskCreate	36	0x7ffb8528a3c0
AzTaskDelete	37	0x7ffb8528a5a0
AzTaskEnum	38	0x7ffb8528a500
AzTaskOpen	39	0x7ffb8528a460
AzUpdateCache	40	0x7ffb85265d30
DllCanUnloadNow	41	0x7ffb85243b00
DllGetClassObject	42	0x7ffb85243b20
DllRegisterServer	43	0x7ffb85243c50
DllUnregisterServer	44	0x7ffb85243d50

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\6CUj5MBggF.dll"
Imagebase:	0x7ff799940000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1
Imagebase:	0x7ff7d8260000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\6CUj5MBggF.dll
Imagebase:	0x7ff6bca50000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\6CUj5MBggF.dll",#1
Imagebase:	0x7ff669ba0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzAddPropertyItem
Imagebase:	0x7ff669ba0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5576 -s 456
Imagebase:	0x7ff69b870000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 504 -s 344
Imagebase:	0x7ff69b870000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:11:50
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5720 -s 376
Imagebase:	0x7ff69b870000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:11:53
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzApplicationClose
Imagebase:	0x7ff669ba0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	22:11:53
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5200 -s 344
Imagebase:	0x7ff69b870000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:11:56
Start date:	25/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\6CUj5MBggF.dll,AzApplicationCreate
Imagebase:	0x7ff669ba0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:11:56
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2664 -s 344
Imagebase:	0x7ff69b870000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	22:11:59
Start date:	25/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3080 -s 412
Imagebase:	0x7ff69b870000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6CUj5MBggF.dll

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll64.exe_ad93cb228ab98f9ef5f4ec267a7cf3171f88dc4_606702e6_a7367550-730b-476e-8289-dfb0b98b2092\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_5430187a20f1e1abcbbb987c41713fb407235ea_e29f7403_5a2d7340-ba07-41d0-a4cb-e403a198e059\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_6292dada-936a-4b51-806b-5e354b1c75ee\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_7ba62480-dbd8-40d1-aada-2d35fbba7c1b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_979c50c0-29ee-4e52-a078-833371fa9173\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6CU_7388dff48cc23628a4ea92b83ffbbc9f91ab18_d33dfb83_d0849452-92c2-4bc5-8dd0-8d4c6d981e0c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66A5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66B5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6751.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6762.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67BF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67EF.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER680D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER682E.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER683D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7105.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7183.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER71B3.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CED.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D4C.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8885.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88C4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8904.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Windows Analysis Report
6CUj5MBggF.dll