Source: CUSTOM SHIPING DOCS.exe |
Joe Sandbox ML: detected |
Source: WerFault.exe, 00000003.00000003.354582319.000000000331C000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.micro |
Source: CUSTOM SHIPING DOCS.exe, 00000000.00000002.356907842.000000000016A000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: CUSTOM SHIPING DOCS.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 212 |
Source: CUSTOM SHIPING DOCS.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: CUSTOM SHIPING DOCS.exe |
Static PE information: No import functions for PE file found |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: phoneinfo.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: ext-ms-win-xblauth-console-l1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: ext-ms-win-xblauth-console-l1.dll |
Jump to behavior |
Source: classification engine |
Classification label: mal48.winEXE@2/4@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7072 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CA6.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe 'C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe' |
Source: unknown |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 212 |
Source: CUSTOM SHIPING DOCS.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: CUSTOM SHIPING DOCS.exe |
Static file information: File size 1651712 > 1048576 |
Source: CUSTOM SHIPING DOCS.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13fa00 |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.341920539.0000000003326000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.342002495.000000000332C000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.342002495.000000000332C000.00000004.00000001.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.341920539.0000000003326000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.341916611.0000000003320000.00000004.00000001.sdmp |
Source: |
Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.341860173.000000000333A000.00000004.00000001.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.343258907.00000000052E1000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.343258907.00000000052E1000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.341916611.0000000003320000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\WerFault.exe |
Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File opened: PhysicalDrive0 |
Jump to behavior |
Source: WerFault.exe, 00000003.00000002.355732976.00000000034E0000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 00000003.00000002.355594663.000000000335A000.00000004.00000020.sdmp |
Binary or memory string: Hyper-V RAW |
Source: WerFault.exe, 00000003.00000002.355732976.00000000034E0000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 00000003.00000002.355732976.00000000034E0000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 00000003.00000003.350669940.000000000335A000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: WerFault.exe, 00000003.00000002.355732976.00000000034E0000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\CUSTOM SHIPING DOCS.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process token adjusted: Debug |
Jump to behavior |