Source: unknown |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 284 |
Source: 6vywr0yn.dll |
Binary or memory string: OriginalFilenameoe2hrfl.dllX vs 6vywr0yn.dll |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: phoneinfo.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: ext-ms-win-xblauth-console-l1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: phoneinfo.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: ext-ms-win-xblauth-console-l1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Section loaded: ext-ms-win-xblauth-console-l1.dll |
Jump to behavior |
Source: classification engine |
Classification label: sus23.winDLL@3/8@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6536 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4EE.tmp |
Jump to behavior |
Source: 6vywr0yn.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6vywr0yn.dll' |
Source: unknown |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 284 |
Source: unknown |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 240 |
Source: 6vywr0yn.dll |
Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: 6vywr0yn.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: EFRE65.pdb source: 6vywr0yn.dll |
Source: |
Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658917823.0000000003249000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.649342719.0000000004FB2000.00000004.00000040.sdmp |
Source: |
Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.649370029.0000000004FB5000.00000004.00000040.sdmp |
Source: |
Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658928903.000000000320C000.00000004.00000001.sdmp |
Source: |
Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.649370029.0000000004FB5000.00000004.00000040.sdmp |
Source: |
Binary string: aumjrxmCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000003.00000002.653904672.0000000002A32000.00000004.00000010.sdmp |
Source: |
Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp |
Source: |
Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.649365067.0000000004FB0000.00000004.00000040.sdmp |
Source: |
Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.649365067.0000000004FB0000.00000004.00000040.sdmp |
Source: |
Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.649365067.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.647964693.0000000002DCA000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658949932.0000000003218000.00000004.00000001.sdmp |
Source: |
Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.649342719.0000000004FB2000.00000004.00000040.sdmp |
Source: |
Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.649365067.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.647964693.0000000002DCA000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658949932.0000000003218000.00000004.00000001.sdmp |
Source: |
Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.647906130.0000000002DC4000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658934374.0000000003212000.00000004.00000001.sdmp |
Source: |
Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.647729031.0000000004BA8000.00000004.00000001.sdmp |
Source: |
Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp |
Source: |
Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.647843222.0000000002DBE000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658928903.000000000320C000.00000004.00000001.sdmp |
Source: C:\Windows\SysWOW64\WerFault.exe |
Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: WerFault.exe, 00000005.00000002.681033724.00000000031DB000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW Area Connection* 6 |
Source: WerFault.exe, 00000003.00000002.654666487.0000000004C70000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.682254317.0000000005550000.00000002.00000001.sdmp |
Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: WerFault.exe, 00000005.00000002.681033724.00000000031DB000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAW |
Source: WerFault.exe, 00000003.00000002.654666487.0000000004C70000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.682254317.0000000005550000.00000002.00000001.sdmp |
Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: WerFault.exe, 00000003.00000002.654666487.0000000004C70000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.682254317.0000000005550000.00000002.00000001.sdmp |
Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: WerFault.exe, 00000005.00000002.681144622.0000000004CD0000.00000004.00000001.sdmp |
Binary or memory string: Hyper-V RAWpZ |
Source: WerFault.exe, 00000003.00000002.654666487.0000000004C70000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.682254317.0000000005550000.00000002.00000001.sdmp |
Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process token adjusted: Debug |
Jump to behavior |