yPIOW6yoPi.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.59779116665988
|
Filename: |
yPIOW6yoPi.exe
|
Filesize: |
397312
|
MD5: |
a0acd7920f09a59331e008f8d3dc7ac1
|
SHA1: |
f6bf51b2bccc91476136e43a91b17076ed78b083
|
SHA256: |
4d8f242a1d64b3b41748d2bd56ee6f7119434dedcdf793a83cea95fb31d13347
|
SHA512: |
10aa260961df5472b9b79a72fb9ab1a4ea9c088c817db107f9355fbb7b6b3369b17127933ead6b10a01e4270e3f533e37699eeb77dd084d8821d47c5fc5c870e
|
SSDEEP: |
6144:pvesyWj0MhFpikvYFmSkoxT88KaUqcZLROqNwlggoWLOEC:pesyY0M3xvYDY8KgchIvlgXWy
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'...I...I...I.......I.......I.....".I..d2...I...H...I.......I.......I.......I.Rich..I.................PE..L...LB.d...........
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Contains functionality to bypass UAC (CMSTPLUA) |
Privilege Escalation |
Bypass User Account Control
Access Token Manipulation
|
Detected Remcos RAT |
Remote Access Functionality |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Contains functionality to register a low level keyboard hook |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to steal Chrome passwords or cookies |
Stealing of Sensitive Information |
System Owner/User Discovery
|
Contains functionality to steal Firefox passwords or cookies |
Stealing of Sensitive Information |
Access Token Manipulation
|
Contains functionalty to change the wallpaper |
Spam, unwanted Advertisements and Ransom Demands |
|
Creates autostart registry keys with suspicious names |
Boot Survival |
Access Token Manipulation
|
Delayed program exit found |
Malware Analysis System Evasion |
Access Token Manipulation
|
Machine Learning detection for sample |
AV Detection |
|
Checks if the current process is being debugged |
Anti Debugging |
Virtualization/Sandbox Evasion
|
Contains functionality for read data from the clipboard |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to call native functions |
System Summary |
|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
|
Contains functionality to download and launch executables |
Persistence and Installation Behavior |
Access Token Manipulation
|
Contains functionality to dynamically determine API calls |
Data Obfuscation, Anti Debugging |
|
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection) |
HIPS / PFW / Operating System Protection Evasion |
Access Token Manipulation
|
Contains functionality to enumerate running services |
Malware Analysis System Evasion |
|
Contains functionality to launch a control a shell (cmd.exe) |
Remote Access Functionality |
Command and Scripting Interpreter
Access Token Manipulation
System Owner/User Discovery
|
Contains functionality to modify clipboard data |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
Access Token Manipulation
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
|
Contains functionality to query locales information (e.g. system language) |
Language, Device and Operating System Detection |
Access Token Manipulation
|
Contains functionality to read the PEB |
Anti Debugging |
Access Token Manipulation
|
Contains functionality to read the clipboard data |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to retrieve information about pressed keystrokes |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Contains functionality to shutdown / reboot the system |
System Summary |
Access Token Manipulation
|
Contains functionality to simulate mouse events |
HIPS / PFW / Operating System Protection Evasion |
|
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Anti Debugging |
Security Software Discovery
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
File and Directory Discovery
|
Detected potential crypto function |
System Summary |
Access Token Manipulation
|
Drops PE files |
Persistence and Installation Behavior |
Access Token Manipulation
|
Extensive use of GetProcAddress (often used to hide API calls) |
Hooking and other Techniques for Hiding and Protection |
|
Found evaded block containing many API calls |
Malware Analysis System Evasion |
Access Token Manipulation
|
Found large amount of non-executed APIs |
Malware Analysis System Evasion |
Access Token Manipulation
|
One or more processes crash |
System Summary |
|
Sample file is different than original file name gathered from version info |
System Summary |
Access Token Manipulation
|
Uses 32bit PE files |
Compliance, System Summary |
|
Uses Microsoft's Enhanced Cryptographic Provider |
Cryptography |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
Contains functionality to adjust token privileges (e.g. debug / backup) |
System Summary |
Access Token Manipulation
|
Contains functionality to download additional files from the internet |
Networking |
|
Contains functionality to enum processes or threads |
System Summary |
Access Token Manipulation
|
Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
|
Contains functionality to load and extract PE file embedded resources |
System Summary |
|
Contains functionality to modify services (start/stop/modify) |
System Summary |
Access Token Manipulation
System Information Discovery
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
Access Token Manipulation
System Information Discovery
|
Contains functionality to query local drives |
Spreading, Malware Analysis System Evasion |
File and Directory Discovery
|
Contains functionality to query the account / user name |
Language, Device and Operating System Detection |
System Owner/User Discovery
|
Contains functionality to query time zone information |
Language, Device and Operating System Detection |
Access Token Manipulation
|
Contains functionality to register its own exception handler |
Anti Debugging |
|
Contains functionality to start windows services |
Boot Survival |
Access Token Manipulation
|
Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
Access Token Manipulation
|
Creates files inside the user directory |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Might use command line arguments |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
Access Token Manipulation
|
Public key (encryption) found |
Cryptography |
System Owner/User Discovery
|
Reads ini files |
System Summary |
|
Reads software policies |
System Summary |
Access Token Manipulation
|
Sample is known by Antivirus |
System Summary |
Access Token Manipulation
|
Sample reads its own file content |
System Summary |
Access Token Manipulation
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
Access Token Manipulation
|
Uses new MSVCR Dlls |
Compliance, System Summary |
Access Token Manipulation
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_f1164e2edceb3e426fcc8f132ef36e41c5c6259_1752a2a0_ca2fc48c-3ee1-4ae6-930c-46450d7d3581\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_f1164e2edceb3e426fcc8f132ef36e41c5c6259_1752a2a0_ca2fc48c-3ee1-4ae6-930c-46450d7d3581\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.19.dr
|
ID: |
dr_35
|
Target ID: |
19
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
1.008457597434543
|
Encrypted: |
false
|
Ssdeep: |
384:OCCIH9dwyKcxwy4Jtj+zuiFrY4IO8GuT:O2TxwyCj+zuiFrY4IO8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Public key (encryption) found |
Cryptography |
|
Sample is known by Antivirus |
System Summary |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_039bda82-6726-4bed-ba54-b8025f3f7407\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_039bda82-6726-4bed-ba54-b8025f3f7407\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.10.dr
|
ID: |
dr_18
|
Target ID: |
10
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9378506197517005
|
Encrypted: |
false
|
Ssdeep: |
192:qpYdIHpzpzDypS056rep3pjjR4ZrPLzuiFrZ24IO8bpwpt:qCIH9dDyn56reJtjKzuiFrY4IO8buT
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Public key (encryption) found |
Cryptography |
|
Sample is known by Antivirus |
System Summary |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_7145277a-e9bd-46c5-bc6a-b581742e3b6f\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_7145277a-e9bd-46c5-bc6a-b581742e3b6f\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.16.dr
|
ID: |
dr_30
|
Target ID: |
16
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9375026489286793
|
Encrypted: |
false
|
Ssdeep: |
192:uvpYdIHpzpzurypS056rep3pjjR4ZrPLzuiFrZ24IO8bpwpt:4CIH9duryn56reJtjKzuiFrY4IO8buT
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Public key (encryption) found |
Cryptography |
|
Sample is known by Antivirus |
System Summary |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_83c67f10-09d1-4f5e-bb02-5897b429db17\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_83c67f10-09d1-4f5e-bb02-5897b429db17\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.12.dr
|
ID: |
dr_22
|
Target ID: |
12
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9375582905119481
|
Encrypted: |
false
|
Ssdeep: |
192:wUpYdIHpzpzIypS056rep3pjjR4ZrPLzuiFrZ24IO8bpwpt:pCIH9dIyn56reJtjKzuiFrY4IO8buT
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Public key (encryption) found |
Cryptography |
|
Sample is known by Antivirus |
System Summary |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_9225f348-fc1c-43e9-969c-f488455d47d0\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_9225f348-fc1c-43e9-969c-f488455d47d0\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.14.dr
|
ID: |
dr_26
|
Target ID: |
14
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.937605307481161
|
Encrypted: |
false
|
Ssdeep: |
192:bghpYdIHpzpzIypS056rep3pjjR4ZrPLzuiFrZ24IO8bpwpt:MhCIH9dIyn56reJtjKzuiFrY4IO8buT
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Public key (encryption) found |
Cryptography |
|
Sample is known by Antivirus |
System Summary |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_a4670110-4580-4a73-a4d1-32c5eedad24e\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_a4670110-4580-4a73-a4d1-32c5eedad24e\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.8.dr
|
ID: |
dr_14
|
Target ID: |
8
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9374199248073891
|
Encrypted: |
false
|
Ssdeep: |
384:WzLZCIH9duyn56reJtjKzuiFrY4IO8buT:a5j56rgjKzuiFrY4IO8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Public key (encryption) found |
Cryptography |
|
Sample is known by Antivirus |
System Summary |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_ab7867eb-ccc1-47e5-b15e-9c3a94fe2e36\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_ab7867eb-ccc1-47e5-b15e-9c3a94fe2e36\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.6.dr
|
ID: |
dr_10
|
Target ID: |
6
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9303943800349092
|
Encrypted: |
false
|
Ssdeep: |
192:JpYdIHpzpz4ypS056rep3pjjR4ZrPMzuiFrZ24IO8bpwpt7:JCIH9d4yn56reJtjFzuiFrY4IO8buT
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Public key (encryption) found |
Cryptography |
|
Sample is known by Antivirus |
System Summary |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_f8f41f5e-6227-4ae3-bf1b-518301d54ad4\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yPIOW6yoPi.exe_fd4b28536be3f5f250312b9457878378f496af_1752a2a0_f8f41f5e-6227-4ae3-bf1b-518301d54ad4\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.4.dr
|
ID: |
dr_5
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9304746472994024
|
Encrypted: |
false
|
Ssdeep: |
192:6UpYdIHpzpz6ypS056rep3pjjR4ZrPMzuiFrZ24IO8bpwpt:6UCIH9d6yn56reJtjFzuiFrY4IO8buT
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus / Scanner detection for submitted sample |
AV Detection |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Machine Learning detection for sample |
AV Detection |
|
Sample file is different than original file name gathered from version info |
System Summary |
|
Uses 32bit PE files |
Compliance, System Summary |
|
Binary may include packed or encrypted code |
Data Obfuscation |
Obfuscated Files or Information
|
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) |
System Summary |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Public key (encryption) found |
Cryptography |
|
Sample is known by Antivirus |
System Summary |
|
|
C:\Users\user\AppData\Roaming\xenor\yavascript.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\xenor\yavascript.exe
|
Category: |
dropped
|
Dump: |
yavascript.exe.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\yPIOW6yoPi.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.59779116665988
|
Encrypted: |
false
|
Ssdeep: |
6144:pvesyWj0MhFpikvYFmSkoxT88KaUqcZLROqNwlggoWLOEC:pesyY0M3xvYDY8KgchIvlgXWy
|
Size: |
397312
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Contains functionality to bypass UAC (CMSTPLUA) |
Privilege Escalation |
Bypass User Account Control
|
Detected Remcos RAT |
Remote Access Functionality |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Sigma detected: Remcos |
Stealing of Sensitive Information |
|
Contains functionality to steal Chrome passwords or cookies |
Stealing of Sensitive Information |
|
Contains functionality to steal Firefox passwords or cookies |
Stealing of Sensitive Information |
|
Contains functionalty to change the wallpaper |
Spam, unwanted Advertisements and Ransom Demands |
|
Delayed program exit found |
Malware Analysis System Evasion |
|
Abnormal high CPU Usage |
System Summary |
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found large amount of non-executed APIs |
Malware Analysis System Evasion |
|
Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Program exit points |
Malware Analysis System Evasion |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
URLs found in memory or binary data |
Networking |
|
|
C:\Users\user\AppData\Roaming\xenor\yavascript.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\xenor\yavascript.exe:Zone.Identifier
|
Category: |
modified
|
Dump: |
yavascript.exe_Zone.Identifier.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\yPIOW6yoPi.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
3.95006375643621
|
Encrypted: |
false
|
Ssdeep: |
3:ggPYV:rPYV
|
Size: |
26
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Contains functionality to bypass UAC (CMSTPLUA) |
Privilege Escalation |
Bypass User Account Control
|
Detected Remcos RAT |
Remote Access Functionality |
|
Detected unpacking (changes PE section rights) |
Data Obfuscation |
|
Contains functionality to steal Chrome passwords or cookies |
Stealing of Sensitive Information |
|
Contains functionality to steal Firefox passwords or cookies |
Stealing of Sensitive Information |
|
Contains functionalty to change the wallpaper |
Spam, unwanted Advertisements and Ransom Demands |
|
Delayed program exit found |
Malware Analysis System Evasion |
|
Abnormal high CPU Usage |
System Summary |
|
Checks if the current process is being debugged |
Anti Debugging |
Security Software Discovery
Virtualization/Sandbox Evasion
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Found large amount of non-executed APIs |
Malware Analysis System Evasion |
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Program exit points |
Malware Analysis System Evasion |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_026179ac-8916-407f-91dc-a5a14972c7f8\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_026179ac-8916-407f-91dc-a5a14972c7f8\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.37.dr
|
ID: |
dr_63
|
Target ID: |
37
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9430481199281755
|
Encrypted: |
false
|
Ssdeep: |
96:3amXhJvs1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9tZZ:zvvQ056rwjR4Zr+NzuiFrZ24IO8a8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_6bc045d0-02d5-4a02-89f2-a6a0651423b7\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_6bc045d0-02d5-4a02-89f2-a6a0651423b7\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.34.dr
|
ID: |
dr_56
|
Target ID: |
34
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9076248951799786
|
Encrypted: |
false
|
Ssdeep: |
96:tMjXhJF9s1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9ts:tQvF9Q056rwjR4Zr+UzuiFrZ24IO8a8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_781d5b2c-740b-40ff-8110-596b8b9678ba\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_781d5b2c-740b-40ff-8110-596b8b9678ba\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.29.dr
|
ID: |
dr_51
|
Target ID: |
29
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9077335567353353
|
Encrypted: |
false
|
Ssdeep: |
96:A0RXhJxs1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9tZ+:hxvxQ056rwjR4Zr+UzuiFrZ24IO8a8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_8517f58d-bc75-442d-86f3-9222e589eca9\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_8517f58d-bc75-442d-86f3-9222e589eca9\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.26.dr
|
ID: |
dr_47
|
Target ID: |
26
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9078160015063432
|
Encrypted: |
false
|
Ssdeep: |
96:qJaVXhJMs1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9ts:UYvMQ056rwjR4Zr+UzuiFrZ24IO8a8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_e4ea9386-551c-4f98-b367-86f863fb4c76\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_3ada1d2124dd83478d28603eafb8278c3cd43a8_ea442dc3_e4ea9386-551c-4f98-b367-86f863fb4c76\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.22.dr
|
ID: |
dr_39
|
Target ID: |
22
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9077390562342458
|
Encrypted: |
false
|
Ssdeep: |
96:r95PXhJcs1h/oA7Rn6tQXIDcQnc6rCcEhcw3r7+HbHg/TgJ3YOZUXWIOy4Hov9ts:J5vvcQ056rwjR4Zr+UzuiFrZ24IO8a8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_5234ed1d7ecb99e2551a7c6515903d7434b037_ea442dc3_01c2a705-21c2-451f-a615-5ae6805d6bae\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_5234ed1d7ecb99e2551a7c6515903d7434b037_ea442dc3_01c2a705-21c2-451f-a615-5ae6805d6bae\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.24.dr
|
ID: |
dr_43
|
Target ID: |
24
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.8580526450272092
|
Encrypted: |
false
|
Ssdeep: |
96:U60XhJBus1h/H7if2QXIDcQuc6BcE/cw3u+HbHgoZee4nyNIPzOyRgo2ftZrcmEv:f8vBuH0gF1jjbHZrGzuiFrZ24IO8P8
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_9a5ba2c8fe28881fe54ec8233a3cde1e501b46_ea442dc3_2ee97c34-6f1f-426e-8948-3ed966e17be7\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_yavascript.exe_9a5ba2c8fe28881fe54ec8233a3cde1e501b46_ea442dc3_2ee97c34-6f1f-426e-8948-3ed966e17be7\Report.wer
|
Category: |
dropped
|
Dump: |
Report.wer.31.dr
|
ID: |
dr_55
|
Target ID: |
31
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
0.9075338271961502
|
Encrypted: |
false
|
Ssdeep: |
192:PvMA0JsAnbcA/jR4Zr+UzuiFrZ24IO8a8:PvMbJsAnbcA/jqzuiFrY4IO8a
|
Size: |
65536
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
URLs found in memory or binary data |
Networking |
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4E7.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:39 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4E7.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERA4E7.tmp.dmp.4.dr
|
ID: |
dr_2
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:39 2025, 0x1205a4 type
|
Entropy: |
2.3530009678156425
|
Encrypted: |
false
|
Ssdeep: |
768:scsqZdQH76nNdq2iytq6JoOHUO7wK2M9DDKv:sgzNLqNOHUO7wwXKv
|
Size: |
85856
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6BD.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6BD.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERA6BD.tmp.WERInternalMetadata.xml.4.dr
|
ID: |
dr_3
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.6985113365025244
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJLpu262RG6Y2DOSU9T1C05gmfppdaWpBu89b8ROsfcq+Bm:R6lXJLR6B6YjSU9s05gmfpj18RNfc18
|
Size: |
8414
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6FD.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6FD.tmp.xml
|
Category: |
dropped
|
Dump: |
WERA6FD.tmp.xml.4.dr
|
ID: |
dr_4
|
Target ID: |
4
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.494996330281959
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsPJg77aI9uxWpW8VYEYm8M4JqtF++q8v2Me7Bsd:uIjfxI70g7VIJFKu7Bsd
|
Size: |
4720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA97B.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:40 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA97B.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERA97B.tmp.dmp.6.dr
|
ID: |
dr_7
|
Target ID: |
6
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:40 2025, 0x1205a4 type
|
Entropy: |
2.388850286430915
|
Encrypted: |
false
|
Ssdeep: |
768:dHRZdQI+v7MR+kr5g2iytq6JoOHUO7wK2M9KadBnDp:d35+ogk5qNOHUO7wwLdNp
|
Size: |
87508
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA96.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA96.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERAA96.tmp.WERInternalMetadata.xml.6.dr
|
ID: |
dr_8
|
Target ID: |
6
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.6979018937666144
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJLpud62l6Y2DFSU9dogmfppdaWpBT89bkOsf0qsm:R6lXJLq6U6YISU9qgmfpjGkNfJ
|
Size: |
8412
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAC5.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAC5.tmp.xml
|
Category: |
dropped
|
Dump: |
WERAAC5.tmp.xml.6.dr
|
ID: |
dr_9
|
Target ID: |
6
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.496064229115757
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsPJg77aI9uxWpW8VYHYm8M4JqtFhjlo+q8v2Me7Bsd:uIjfxI70g7VfJEoKu7Bsd
|
Size: |
4720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE8C.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:41 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE8C.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERAE8C.tmp.dmp.8.dr
|
ID: |
dr_11
|
Target ID: |
8
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:41 2025, 0x1205a4 type
|
Entropy: |
2.3560133241605388
|
Encrypted: |
false
|
Ssdeep: |
768:FqriJ27mENDUxfP2iytq6JoO0UO7wK2M9bjzZIqooi:wiQNDqeqNO0UO7wwFLoo
|
Size: |
93048
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF97.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF97.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERAF97.tmp.WERInternalMetadata.xml.8.dr
|
ID: |
dr_12
|
Target ID: |
8
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.69806564573605
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJLpuR6f6Y2DoSU9q8MFgmfppdaWpB089bWOsf0tjSm:R6lXJLG6f6YlSU9ygmfpjzWNfEH
|
Size: |
8412
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFC7.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFC7.tmp.xml
|
Category: |
dropped
|
Dump: |
WERAFC7.tmp.xml.8.dr
|
ID: |
dr_13
|
Target ID: |
8
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.4952586435216535
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsPJg77aI9uxWpW8VYUYm8M4JqtFwX+q8v2Me7Bsd:uIjfxI70g7VcJxXKu7Bsd
|
Size: |
4720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB207.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:42 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB207.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERB207.tmp.dmp.10.dr
|
ID: |
dr_15
|
Target ID: |
10
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:42 2025, 0x1205a4 type
|
Entropy: |
2.120601791832267
|
Encrypted: |
false
|
Ssdeep: |
384:Hs2IpnpYm7SmEoNETAslG7f4Uj7ExK2MnWZfq064YzSP+2pG2Y7b:Hs1pnp37fETAsQ7gu7wK2Mnw3YzSm0c
|
Size: |
99902
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2B4.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2B4.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERB2B4.tmp.WERInternalMetadata.xml.10.dr
|
ID: |
dr_16
|
Target ID: |
10
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.700627330406827
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJLpuJh686Y2DOSU9q8MFgmfppdaWpB989bWOsfUSm:R6lXJL0h686YjSU9ygmfpjYWNfg
|
Size: |
8412
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2F3.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2F3.tmp.xml
|
Category: |
dropped
|
Dump: |
WERB2F3.tmp.xml.10.dr
|
ID: |
dr_17
|
Target ID: |
10
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.495498441898633
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsPJg77aI9uxWpW8VYNYm8M4JqtFQkLW+q8v2Me7Bsd:uIjfxI70g7VdJUWKu7Bsd
|
Size: |
4720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB553.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:43 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB553.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERB553.tmp.dmp.12.dr
|
ID: |
dr_19
|
Target ID: |
12
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:43 2025, 0x1205a4 type
|
Entropy: |
2.039930507734341
|
Encrypted: |
false
|
Ssdeep: |
384:1W4RmWg6m7ej7oxXAdCQlGAZs4Uj7ExK2MhHf0LEBwl9AcRQyaV:jRmWgd7S4XAdDQAZxu7wK2MhzqTiV
|
Size: |
104038
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7B5.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7B5.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERB7B5.tmp.WERInternalMetadata.xml.12.dr
|
ID: |
dr_20
|
Target ID: |
12
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.700060520868702
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJLpu962Ue6Y2DUSU9RHSgmfppdaWpBG89bAOsfPgm:R6lXJLK6E6YJSU9RygmfpjNANfd
|
Size: |
8414
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB833.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB833.tmp.xml
|
Category: |
dropped
|
Dump: |
WERB833.tmp.xml.12.dr
|
ID: |
dr_21
|
Target ID: |
12
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.495371140555508
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsPJg77aI9uxWpW8VYqJYm8M4JqtFyC+q8v2Me7Bsd:uIjfxI70g7VwJ0Ku7Bsd
|
Size: |
4720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA73.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:44 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA73.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERBA73.tmp.dmp.14.dr
|
ID: |
dr_23
|
Target ID: |
14
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:44 2025, 0x1205a4 type
|
Entropy: |
2.0503303956664203
|
Encrypted: |
false
|
Ssdeep: |
384:t8q2Wgwm7+U4p9oF4A0T14lGAF4Uj7ExK2MhkF0rxWwmG2u3Fvia:f2Wgf7+UV4A0Z4QAuu7wK2MhnxK3MH
|
Size: |
103614
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB30.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB30.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERBB30.tmp.WERInternalMetadata.xml.14.dr
|
ID: |
dr_24
|
Target ID: |
14
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.699361286644949
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJLpuu6M6Y2DDSU9MHSgmfppdaWpB089bJOsfugmjm:R6lXJLp6M6Y+SU9MygmfpjzJNftj
|
Size: |
8414
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB6F.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB6F.tmp.xml
|
Category: |
dropped
|
Dump: |
WERBB6F.tmp.xml.14.dr
|
ID: |
dr_25
|
Target ID: |
14
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.4960008783251935
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsPJg77aI9uxWpW8VYtPYm8M4JqtFzv+q8v2Me7Bsd:uIjfxI70g7VwSJAKu7Bsd
|
Size: |
4720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDCE.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:45 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDCE.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERBDCE.tmp.dmp.16.dr
|
ID: |
dr_27
|
Target ID: |
16
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:45 2025, 0x1205a4 type
|
Entropy: |
2.214911743334178
|
Encrypted: |
false
|
Ssdeep: |
768:xWg37v24A04iO64SlQAsfq7wK2Mhx48NQ:oGA0xO64SCnq7wc+WQ
|
Size: |
112404
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEF8.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEF8.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERBEF8.tmp.WERInternalMetadata.xml.16.dr
|
ID: |
dr_28
|
Target ID: |
16
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.6990182772830558
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJLpu46tq6Y2DMSU9MHSgmfppdaWpBT89bJOsf+Ljm:R6lXJLf6tq6YxSU9MygmfpjGJNfn
|
Size: |
8414
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF19.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF19.tmp.xml
|
Category: |
dropped
|
Dump: |
WERBF19.tmp.xml.16.dr
|
ID: |
dr_29
|
Target ID: |
16
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.4937417346332165
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsPJg77aI9uxWpW8VYjvYm8M4JqtFtEp+q8v2Me7Bsd:uIjfxI70g7V3JSEpKu7Bsd
|
Size: |
4720
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC427.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:47 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC427.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERC427.tmp.dmp.19.dr
|
ID: |
dr_32
|
Target ID: |
19
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:47 2025, 0x1205a4 type
|
Entropy: |
2.732038951321124
|
Encrypted: |
false
|
Ssdeep: |
192:CMP8XDXYywJX/b9CtDzpROmlUt2kIBgTMG81AN2M/Hx7pjok1lJYafhwlxmxTC3K:bywVb4Bzm71IBOMxK2MfhYjx8TSi9
|
Size: |
42380
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC571.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC571.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERC571.tmp.WERInternalMetadata.xml.19.dr
|
ID: |
dr_33
|
Target ID: |
19
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.6954953522164913
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJLpuX6IJC6Y2DgOSU9RHwgmfMpophxWpD+89b7OsfHPJm:R6lXJLY6IJC6Y1OSU9RQgmfM2vK7NfHc
|
Size: |
8316
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC591.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC591.tmp.xml
|
Category: |
dropped
|
Dump: |
WERC591.tmp.xml.19.dr
|
ID: |
dr_34
|
Target ID: |
19
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, ASCII text, with CRLF line terminators
|
Entropy: |
4.479985360022542
|
Encrypted: |
false
|
Ssdeep: |
48:cvIwWl8zsPJg77aI9uxWpW8VYoYm8M4JqPFt+q8CEe7Bsd:uIjfxI70g7VoJMt7Bsd
|
Size: |
4579
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC977.tmp.dmp
|
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:48 2025, 0x1205a4 type
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC977.tmp.dmp
|
Category: |
dropped
|
Dump: |
WERC977.tmp.dmp.22.dr
|
ID: |
dr_36
|
Target ID: |
22
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
Mini DuMP crash report, 14 streams, Sat Jan 11 05:12:48 2025, 0x1205a4 type
|
Entropy: |
2.2027203591895597
|
Encrypted: |
false
|
Ssdeep: |
384:QsucehtgeAxalpZ5D/+j2Mh0PlelqKQcDaRq:xuLhtgezyj2MqElqr
|
Size: |
62046
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA24.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA24.tmp.WERInternalMetadata.xml
|
Category: |
dropped
|
Dump: |
WERCA24.tmp.WERInternalMetadata.xml.22.dr
|
ID: |
dr_37
|
Target ID: |
22
|
Process: |
C:\Windows\SysWOW64\WerFault.exe
|
Type: |
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
Entropy: |
3.6966883208192196
|
Encrypted: |
false
|
Ssdeep: |
192:R6l7wVeJ2L6RpJW6Yrpud6ARqgmfKaWpBp89bcLqsfxAUm:R6lXJa6RpI6YrC6ARqgmfKEcLJfA
|
Size: |
8396
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA73.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
|