Loading ...

Play interactive tourEdit tour

Analysis Report cb043bd7-20bb-43a5-863f-57526786879c

Overview

General Information

Sample Name:cb043bd7-20bb-43a5-863f-57526786879c (renamed file extension from none to exe)
MD5:21ce75a41f9ed8e6f7c18dbf92fe5beb
SHA1:5a105fa68b3eb73a1a829ba357e1a3a0e4ca2d9d
SHA256:3b1f8b079a7d823fb617e72ff4e9da4f47e63ca530749df7d7a2d38d439b2b21

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus or Machine Learning detection for unpacked file
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cb043bd7-20bb-43a5-863f-57526786879c.exe (PID: 4604 cmdline: 'C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exe' MD5: 21CE75A41F9ED8E6F7C18DBF92FE5BEB)
    • WerFault.exe (PID: 5328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 368 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
    • WerFault.exe (PID: 5228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 408 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeVirustotal: Detection: 25%Perma Link
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeReversingLabs: Detection: 29%
Source: 0.2.cb043bd7-20bb-43a5-863f-57526786879c.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.0.cb043bd7-20bb-43a5-863f-57526786879c.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,0_2_00405BEC

Source: cb043bd7-20bb-43a5-863f-57526786879c.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeString found in binary or memory: https://sectigo.com/CPS0C

Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040E420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040E420
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_3_021D28690_3_021D2869
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_004022600_2_00402260
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040D22C0_2_0040D22C
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040EDE00_2_0040EDE0
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: String function: 00404C88 appears 37 times
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 368
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeStatic PE information: invalid certificate
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: classification engineClassification label: mal56.winEXE@3/8@0/0
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040E420 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040E420
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00407F78 GetDiskFreeSpaceW,0_2_00407F78
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040ECFC FindResourceW,SizeofResource,LoadResource,LockResource,0_2_0040ECFC
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4604
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER520.tmpJump to behavior
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeVirustotal: Detection: 25%
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeReversingLabs: Detection: 29%
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeString found in binary or memory: ns. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the command line. /SA
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeFile read: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exe 'C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 368
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 408
Source: cb043bd7-20bb-43a5-863f-57526786879c.exeStatic file information: File size 3392728 > 1048576

Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040B020 push 0040B1CCh; ret 0_2_0040B1C4
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040B0E7 push 0040B1CCh; ret 0_2_0040B1C4
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00406978 push 004069A4h; ret 0_2_0040699C
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00406934 push 00406976h; ret 0_2_0040696E
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040E138 push 0040E164h; ret 0_2_0040E15C
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00411188 push 00411206h; ret 0_2_004111FE
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_004069AE push 004069DCh; ret 0_2_004069D4
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_004069B0 push 004069DCh; ret 0_2_004069D4
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00411224 push 00411251h; ret 0_2_00411249
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040DC20 push 0040DC63h; ret 0_2_0040DC5B
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_004064A6 push 0040650Dh; ret 0_2_00406505
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_004064A8 push 0040650Dh; ret 0_2_00406505
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_004034A8 push eax; ret 0_2_004034E4
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040CF24 push ecx; mov dword ptr [esp], eax0_2_0040CF29
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040FFC0 push 00410028h; ret 0_2_00410020
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040DFB8 push 0040E000h; ret 0_2_0040DFF8

Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeAPI coverage: 8.5 %
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,0_2_00405BEC
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00406458 GetSystemInfo,0_2_00406458
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeAPI call chain: ExitProcess graph end nodegraph_0-7557
Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_00408148 LdrInitializeThunk,VirtualFree,0_2_00408148
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior

Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,0_2_00405DE8
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: GetLocaleInfoW,0_2_0040E528
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: GetLocaleInfoW,0_2_00408DD0
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: GetLocaleInfoW,0_2_00408E1C
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,0_2_00405F23
Source: C:\Users\user\Desktop\cb043bd7-20bb-43a5-863f-57526786879c.exeCode function: 0_2_0040A274 GetVersionExW,0_2_0040A274

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential DumpingVirtualization/Sandbox Evasion1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection1Software Packing1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingAccess Token Manipulation1Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection1Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDeobfuscate/Decode Files or Information1Brute ForceSystem Information Discovery24Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 233902 Sample: cb043bd7-20bb-43a5-863f-575... Startdate: 28/05/2020 Architecture: WINDOWS Score: 56 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 6 cb043bd7-20bb-43a5-863f-57526786879c.exe 2->6         started        process3 process4 8 WerFault.exe 9 6->8         started        10 WerFault.exe 25 10 6->10         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.