IOCReport

loading gif

Files

File Path
Type
Category
Malicious
2760000.netprovfw.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2760000.netprovf_50482980db6f70d047bdd5f2b763ef22b1cfde7_9c33c211_129efdf4\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Jan 29 00:27:52 2021, 0x1205a4 type
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF78C.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
dropped
clean
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF81A.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\2760000.netprovfw.exe
'C:\Users\user\Desktop\2760000.netprovfw.exe'
malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640
clean

Registry

Path
Value
Malicious
C:\Windows\SysWOW64\WerFault.exe
AmiHivePermissionsCorrect
clean
C:\Windows\SysWOW64\WerFault.exe
AmiHiveOwnerCorrect
clean
C:\Windows\SysWOW64\WerFault.exe
ProgramId
clean
C:\Windows\SysWOW64\WerFault.exe
FileId
clean
C:\Windows\SysWOW64\WerFault.exe
LowerCaseLongPath
clean
C:\Windows\SysWOW64\WerFault.exe
LongPathHash
clean
C:\Windows\SysWOW64\WerFault.exe
Name
clean
C:\Windows\SysWOW64\WerFault.exe
Publisher
clean
C:\Windows\SysWOW64\WerFault.exe
Version
clean
C:\Windows\SysWOW64\WerFault.exe
BinFileVersion
clean
C:\Windows\SysWOW64\WerFault.exe
BinaryType
clean
C:\Windows\SysWOW64\WerFault.exe
ProductName
clean
C:\Windows\SysWOW64\WerFault.exe
ProductVersion
clean
C:\Windows\SysWOW64\WerFault.exe
LinkDate
clean
C:\Windows\SysWOW64\WerFault.exe
BinProductVersion
clean
C:\Windows\SysWOW64\WerFault.exe
Size
clean
C:\Windows\SysWOW64\WerFault.exe
Language
clean
C:\Windows\SysWOW64\WerFault.exe
IsPeFile
clean
C:\Windows\SysWOW64\WerFault.exe
IsOsComponent
clean
C:\Windows\SysWOW64\WerFault.exe
ExceptionRecord
clean
C:\Windows\SysWOW64\WerFault.exe
DeviceTicket
clean
C:\Windows\SysWOW64\WerFault.exe
DeviceId
clean
C:\Windows\SysWOW64\WerFault.exe
ApplicationFlags
clean
C:\Windows\SysWOW64\WerFault.exe
00184004E4A9E61A
clean
There are 14 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
2761000
unkown image
page execute read
malicious
2761000
unkown image
page execute read
malicious
5C0000
heap default
page read and write
clean
2760000
unkown image
page readonly
clean
54E000
unkown
page read and write
clean
2760000
unkown image
page readonly
clean
2770000
unkown image
page readonly
clean
400000
unkown
page readonly
clean
2760000
unkown image
page readonly
clean
276D000
unkown image
page read and write
clean
95F000
stack
page read and write
clean
50E000
unkown
page read and write
clean
19C000
stack
page read and write
clean
357000
unkown
page read and write
clean
550000
unkown
page readonly
clean
221C000
unkown
page read and write
clean
353000
unkown
page read and write
clean
A00000
unkown
page readonly
clean
6CF000
stack
page read and write
clean
2770000
unkown image
page readonly
clean
2202000
unkown
page read and write
clean
9F0000
heap private
page read and write
clean
27B3000
unkown image
page readonly
clean
1F0000
unkown
page read and write
clean
9D000
unkown
page read and write
clean
760000
heap default
page read and write
clean
276D000
unkown image
page write copy
clean
76A000
heap default
page read and write
clean
21A0000
unkown
page read and write
clean
27B3000
unkown image
page readonly
clean
There are 20 hidden memdumps, click here to show them.