Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report utility.dll

Overview

General Information

Sample Name:utility.dll
Analysis ID:385485
MD5:c84fd1069470c4f7cbcd9fa10fc32615
SHA1:94ca6af9cae336754da47e2b8694a1f33db78e89
SHA256:59d2ed9608ac543bd671da7b17558ebce275f64dd80fc84abd10fd31dea49c5e
Infos:

Most interesting Screenshot:

Detection

Score:8
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6788 cmdline: loaddll32.exe 'C:\Users\user\Desktop\utility.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6836 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6880 cmdline: rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 7020 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 696 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6868 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 7060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 7124 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 3492 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4544 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4264 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6384 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6528 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6656 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6136 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6308 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4108 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6096 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 4612 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6672 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10002170 FileEncrypt,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10002290 FileDecrypt,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001D30 Encrypt,SysAllocStringLen,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001E50 EncryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001EB0 DecryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001F10 Decrypt,SysAllocStringLen,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10001FF0 Decrypt2BinStr,
Source: utility.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: utility.dllStatic PE information: certificate valid
Source: Binary string: profapi.pdbzl source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbt# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.657930785.0000000004E1B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.657649042.00000000050E7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbt source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb:#U source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdbio source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbW6X source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbl source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbb source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.651587844.00000000032AD000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb; source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbL#j source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb-6^ source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbC source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb56f source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbf#< source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb^C source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbI source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbQ6B source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb] source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbf source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb96j source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: netutils.pdbEo source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb#6T source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbQ source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbS source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.651866490.0000000000BB7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658090124.0000000003315000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.665733650.0000000000742000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb]B source: WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wsock32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdbh source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb~# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: samcli.pdb0#k source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: combase.pdbh#6 source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: netutils.pdbL source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: netutils.pdbN source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb! source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: samcli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbV#l source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbX#f source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb= source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wsock32.pdb3 source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb?6` source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbr# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: wsock32.pdb/ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.668506196.000000000073C000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb@ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb3oc source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: samcli.pdb_6m source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbO source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb6z~ source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb7 source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: samcli.pdbr source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbJ# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb6#a source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbk source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb@# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658109078.000000000331B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbU source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbW source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: WerFault.exe, 0000000E.00000003.749476068.000000000502A000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
Source: WerFault.exe, 0000000B.00000003.676315749.00000000049D4000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro(
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
Source: WerFault.exe, 00000009.00000003.683820033.0000000004D79000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft2
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsy
Source: utility.dllString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpString found in binary or memory: http://microsoft.coA
Source: utility.dllString found in binary or memory: http://ocsp.thawte.com0
Source: utility.dllString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: utility.dllString found in binary or memory: http://t2.symcb.com0
Source: utility.dllString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: utility.dllString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: utility.dllString found in binary or memory: http://tl.symcd.com0&
Source: utility.dllString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: utility.dllString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: utility.dllString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.c
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
Source: utility.dllString found in binary or memory: https://www.thawte.com/cps0/
Source: utility.dllString found in binary or memory: https://www.thawte.com/repository0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100019D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10005830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100120C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10013160
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001E96D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100151D2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000B9E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000B390
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100143C1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10009400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000BC30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10011470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10018507
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10014D10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10015D40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10015590
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10014610
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000B6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10013790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10010FC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000AFF0
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 696
Source: utility.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: classification engineClassification label: clean8.winDLL@48/20@0/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6096
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3492
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6880
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6868
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA48.tmpJump to behavior
Source: utility.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\utility.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 696
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: utility.dllStatic PE information: certificate valid
Source: Binary string: profapi.pdbzl source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbt# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.657930785.0000000004E1B000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.657649042.00000000050E7000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbt source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb:#U source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdbio source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbW6X source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdbl source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbb source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.651587844.00000000032AD000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb; source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbL#j source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb-6^ source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdbC source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb56f source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbf#< source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb^C source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbI source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbQ6B source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb] source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbf source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb96j source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: netutils.pdbEo source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb#6T source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbQ source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbS source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.651866490.0000000000BB7000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658090124.0000000003315000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.665733650.0000000000742000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.725317803.0000000003464000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb]B source: WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wsock32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdbh source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb~# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: samcli.pdb0#k source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: combase.pdbh#6 source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: netutils.pdbL source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: netutils.pdbN source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb! source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: samcli.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbV#l source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbX#f source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb= source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wsock32.pdb3 source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb?6` source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbr# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: wsock32.pdb/ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.651458754.0000000000BB1000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658769742.000000000330F000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.668506196.000000000073C000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.727173519.000000000345E000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb@ source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb3oc source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: samcli.pdb_6m source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbO source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb6z~ source: WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb7 source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: samcli.pdbr source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbJ# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb6#a source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbk source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb@# source: WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.651468531.0000000000BBD000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.658109078.000000000331B000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.667241591.0000000000748000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.724957051.000000000346A000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.658090550.0000000005260000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657510247.0000000005170000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667425105.0000000005570000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683909867.00000000048E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735201747.0000000005640000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbU source: WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.658116123.0000000005266000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.657526798.0000000005176000.00000004.00000040.sdmp, WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp, WerFault.exe, 00000011.00000003.683967051.00000000048E6000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.735223282.0000000005646000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbW source: WerFault.exe, 0000000E.00000003.667459101.0000000005576000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.658058795.0000000005291000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.657463779.0000000004F91000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.667383747.0000000005391000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.683845320.0000000004911000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.735164679.0000000005671000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10016730 push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0090D587 push ebp; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0090BEB8 push ebp; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0090C858 push ss; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 23_2_0090F7E0 push ebp; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000CA50 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100019D0 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exeCode function: SysInfoGetAdaptersInfo,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
Source: WerFault.exe, 00000009.00000002.695648862.0000000004D59000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWntel(R) 82574L Gigabit Network Connection-QoS Packet Scheduler-0000
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.676572054.00000000049A8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWE
Source: WerFault.exe, 00000009.00000002.695648862.0000000004D59000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.676572054.00000000049A8000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000003.749692159.0000000005017000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000002.713771261.0000000004542000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW8}&
Source: WerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.713879346.000000000461D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
Source: WerFault.exe, 00000009.00000002.697663157.00000000053F0000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.685482706.0000000004A80000.00000002.00000001.sdmp, WerFault.exe, 0000000E.00000002.767832613.0000000005590000.00000002.00000001.sdmp, WerFault.exe, 00000011.00000002.713927630.0000000004640000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.762545479.0000000005350000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100019D0 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100019D0 CPUSpeed,LdrInitializeThunk,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,GetThreadPriority,SetThreadPriority,QueryPerformanceCounter,QueryPerformanceCounter,SetThreadPriority,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1000ABF0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001C4FB SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001C50D SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_1001D1A2 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10017756 GetVersion,GetCommandLineA,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10004D70 ServerIsListening,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Application Shimming1Process Injection11Virtualization/Sandbox Evasion11OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Process Injection11LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSecurity Software Discovery31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSVirtualization/Sandbox Evasion11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 385485 Sample: utility.dll Startdate: 12/04/2021 Architecture: WINDOWS Score: 8 7 loaddll32.exe 1 2->7         started        process3 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 11 other processes 7->15 process4 17 rundll32.exe 9->17         started        19 WerFault.exe 2 9 11->19         started        21 WerFault.exe 9 13->21         started        23 WerFault.exe 9 15->23         started        25 WerFault.exe 15->25         started        process5 27 WerFault.exe 23 9 17->27         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
utility.dll0%VirustotalBrowse
utility.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.m0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
http://microsoft.coA0%Avira URL Cloudsafe
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://crl.micro0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
http://crl.micro(0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://www.microsoft.co0%URL Reputationsafe
http://www.microsoft.co0%URL Reputationsafe
http://www.microsoft.co0%URL Reputationsafe
http://crl.microsy0%Avira URL Cloudsafe
http://www.microsoft.c0%URL Reputationsafe
http://www.microsoft.c0%URL Reputationsafe
http://www.microsoft.c0%URL Reputationsafe
http://crl.microsoft20%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.mWerFault.exe, 0000000E.00000003.749476068.000000000502A000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://microsoft.coAWerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crl.microWerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0utility.dllfalse
    		high
    https://www.thawte.com/cps0/utility.dllfalse
      		high
      http://crl.microsoftWerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://crl.micro(WerFault.exe, 0000000B.00000003.676315749.00000000049D4000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		low
      http://ocsp.thawte.com0utility.dllfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.microsoft.coWerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://crl.microsyWerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.thawte.com/repository0utility.dllfalse
        		high
        http://www.microsoft.cWerFault.exe, 00000023.00000002.762386513.0000000005250000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://crl.microsoft2WerFault.exe, 00000009.00000003.683820033.0000000004D79000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:385485
        Start date:12.04.2021
        Start time:15:26:29
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 8m 45s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:utility.dll
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:40
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:CLEAN
        Classification:clean8.winDLL@48/20@0/0
        EGA Information:
        • Successful, ratio: 25%
        HDC Information:
        • Successful, ratio: 100% (good quality ratio 96%)
        • Quality average: 85%
        • Quality standard deviation: 24.5%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .dll
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 92.122.145.220, 13.88.21.125, 40.88.32.150, 104.43.139.144, 104.43.193.48, 20.82.210.154, 92.122.213.194, 92.122.213.247, 20.190.160.74, 20.190.160.131, 20.190.160.7, 20.190.160.1, 20.190.160.70, 20.190.160.133, 20.190.160.3, 20.190.160.130, 52.147.198.201, 20.190.160.9, 20.190.160.72, 20.190.160.5, 20.190.160.135, 2.20.142.209, 2.20.142.210, 20.190.159.137, 40.126.31.2, 20.190.159.133, 40.126.31.142, 20.190.159.131, 20.190.159.135, 40.126.31.140, 40.126.31.3, 52.155.217.156, 52.255.188.83, 20.54.26.129, 168.61.161.212
        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Execution Graph export aborted for target rundll32.exe, PID 6384 because there are no executed function
        • Execution Graph export aborted for target rundll32.exe, PID 6528 because there are no executed function
        • Report size exceeded maximum capacity and may have missing behavior information.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        15:27:30API Interceptor5x Sleep call for process: WerFault.exe modified
        15:28:21API Interceptor1x Sleep call for process: loaddll32.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1a1eb18902f2cde56c230bea1f2d46b66fdcaf_82810a17_1b3ef221\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12320
        Entropy (8bit):3.7664906162615877
        Encrypted:false
        SSDEEP:192:11HpiB0oXRR+HBUZMX4jed+h+/u7sfS274ItWcY:/JivXGBUZMX4jes+/u7sfX4ItWcY
        MD5:CA7808A969BB6ECE94BE53CA5EB5815A
        SHA1:2282A52F119D8DCCA59EA920B602899092486B97
        SHA-256:F14D3D718B6921058C178C26BE5564A149A64B9FB53C755E8F73BAB09328D3CB
        SHA-512:181CBDF4D245E1E9CA7ED3835C8677B9F5F1F681422B3501F23C2F924BE74870A30970B94529D36C578B8B92291A31709C9EFB825806EFE38B0BFB2B76F9A79C
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.0.7.6.3.9.3.0.8.1.2.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.0.7.6.4.7.9.0.1.8.5.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.9.4.b.c.d.8.-.7.0.6.e.-.4.b.9.1.-.9.3.6.0.-.d.2.5.6.2.1.1.f.7.5.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.6.2.9.3.3.2.-.d.9.f.8.-.4.a.6.0.-.9.c.f.2.-.b.f.9.2.3.2.d.1.1.3.d.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.e.0.-.0.0.0.1.-.0.0.1.b.-.e.2.d.7.-.a.a.8.d.9.f.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1a1eb18902f2cde56c230bea1f2d46b66fdcaf_82810a17_1bc6e465\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12288
        Entropy (8bit):3.7679896352891276
        Encrypted:false
        SSDEEP:192:6ThGis0oX6R+HBUZMX4jed+h+/u7sfS274ItWcr:ohGiqX9BUZMX4jes+/u7sfX4ItWcr
        MD5:A383E5C2B05E613C4464C290EC341A21
        SHA1:6CDBC5CBC31CB08521FEBD43A382AC4046E7FBE5
        SHA-256:16179FB8445E44C464816421FE5B15CDE3B8A3BC9C226E6F3AB0F56311427811
        SHA-512:2DCC96E330B959B522C621324F1EA78ECEB1A312D1F8F556A260F191994F37C61B6B961F6383DDD066FDCEE3B6B094AC29FB85934139BAC745347D0E7FB95AD5
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.0.7.6.3.9.1.9.8.7.4.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.0.7.6.4.8.0.8.9.3.4.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.4.8.7.3.6.6.-.f.c.8.a.-.4.f.a.e.-.b.9.7.6.-.1.f.3.5.4.6.f.4.9.f.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.1.e.b.7.0.b.-.6.e.f.9.-.4.0.4.9.-.b.6.1.1.-.3.4.8.d.0.6.c.f.f.9.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.d.4.-.0.0.0.1.-.0.0.1.b.-.8.f.7.2.-.a.6.8.d.9.f.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_6995fa83d7b0318a43db0d33e1e8ff1c3499353_82810a17_12577480\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12318
        Entropy (8bit):3.766194179464847
        Encrypted:false
        SSDEEP:192:cfiB0oXDHBUZMX4jed+h+/u7sfS274ItWcc:sivXDBUZMX4jec+/u7sfX4ItWcc
        MD5:52E712DC29F2F6F344AD9416CBF531FB
        SHA1:9C3F9F4564C154100025A9DB1448D61BB65F791E
        SHA-256:649A67169BE17298E22BB527798F8B0C0568E681BE3DF9359E066F702A4FF4D3
        SHA-512:0A5077FDAD198AE8FC68BB4143FFF82F421E10FDA4D474DB381BE335AC2BC0FACED81A69FE27D3C8D71B3F7A91DAFF0F53D8BED6729D16618F5E49F9F09A72C9
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.0.7.6.7.4.5.7.3.6.5.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.0.7.6.8.4.8.8.6.0.9.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.c.4.2.f.2.2.-.1.4.f.c.-.4.e.a.b.-.a.e.0.3.-.1.9.b.a.2.9.6.8.f.8.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.d.c.6.a.a.b.5.-.d.2.b.7.-.4.3.f.8.-.8.a.4.a.-.0.c.a.4.4.a.e.9.4.e.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.d.0.-.0.0.0.1.-.0.0.1.b.-.e.9.a.8.-.d.f.a.1.9.f.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e1c7dc65b4f8892833bb6a965bb21678f4e1a_82810a17_11932288\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12322
        Entropy (8bit):3.7683657592986455
        Encrypted:false
        SSDEEP:192:B52ih0oXvqHBUZMX4jed+h+/u7sfS274ItWcQ:OiPX6BUZMX4jec+/u7sfX4ItWcQ
        MD5:A8CD37436DD55291AEFE3DE38A97E230
        SHA1:D637BBC284DE9B0D05BE24FAFF29C3060303B28B
        SHA-256:A015EEA577F7F4100C025C92235B0BDCC297C59281A55ABA46ED076B2EE7A846
        SHA-512:C2D49CCF4DCE04D067138357721DDA7404DEB06E9044EE863E47FD0CD148F5A21FD335CB31196C2603F94A7341196C6807F8D75512D28BE52F7AA271C9C38F84
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.0.7.6.4.7.2.4.5.5.9.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.0.7.6.6.2.2.9.2.4.2.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.0.7.1.6.c.3.-.6.b.6.6.-.4.c.7.c.-.b.3.1.c.-.8.5.a.0.5.8.2.f.2.3.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.a.0.c.4.4.2.-.8.d.f.3.-.4.f.2.6.-.8.9.6.c.-.9.7.1.8.5.e.3.0.7.5.2.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.a.4.-.0.0.0.1.-.0.0.1.b.-.a.7.4.7.-.8.9.9.1.9.f.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e1c7dc65b4f8892833bb6a965bb21678f4e1a_82810a17_17936916\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12318
        Entropy (8bit):3.7670207117332146
        Encrypted:false
        SSDEEP:192:Ml/iS0oXSqHBUZMX4jed+h+/u7sfS274ItWc1:a/i0X3BUZMX4jec+/u7sfX4ItWc1
        MD5:31FA4DC2FECF09081F39561EE652E953
        SHA1:2CE0ECF0B4051A4718E76D64EB06154F8E2DFB09
        SHA-256:76C679665E76B0E15C4F8472855029F4C01FAF5F6E9A3A0D2497461D42CE92B7
        SHA-512:11265072313C191AB6DFE7F2BD01157B3E0C5264D986D674535A995157BCECBD3910DDD53A7F622B972E3EAF4C94AFC866CDB231C66D11C3CBACC7D6750B6F2A
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.0.7.6.4.2.4.0.1.8.6.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.0.7.6.5.7.6.5.1.8.1.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.b.8.9.b.3.e.-.5.1.d.e.-.4.a.e.4.-.a.4.c.0.-.2.f.a.9.5.6.f.2.f.d.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.a.2.4.1.a.1.-.0.3.e.7.-.4.5.3.c.-.b.d.8.6.-.b.4.9.4.6.1.5.d.4.3.3.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.4.-.0.0.0.1.-.0.0.1.b.-.f.e.2.4.-.9.7.8.f.9.f.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER440A.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:57 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):45576
        Entropy (8bit):2.114361418312875
        Encrypted:false
        SSDEEP:192:ByTnPmJD/WCsMq7J3dDlWia7rrLQ4LKO0Get7HPPWfJsYC3bLs:QnY7/q7XpWiuDlLhedPPWRsYyE
        MD5:BC29969592FCE61CC7307FB86A9A16CC
        SHA1:F8A02FE31E154F32A7D780A00D170F16E35C6A18
        SHA-256:9CE619DF22EB50415DFBB646A1893F6B1AC49DD210BBDC6E64C46DF538B038C9
        SHA-512:47B25E4E3A77B7B1DE8F1884037FECA8F6F71E0DD6721E634B7CC7B72EFF08179579704CE93BB67D6DF6C4C468F993167AB13EF6A9FEF42B2A0AB5E43C95EC11
        Malicious:false
        Preview: MDMP....... ........Jt`...................U...........B......<.......GenuineIntelW...........T............Jt`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5001.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8254
        Entropy (8bit):3.6925255797972847
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiUE6R6Y7U6ngmfTgS3a+pra89bvREGqsfcVBm:RrlsNin6R6YI6ngmfTgS3lvREGJfC8
        MD5:A54AF6B0E5BE70F66D1364DFEA66E293
        SHA1:3E7C61679DAE3534C7844A2533E25CFFAC6DACDC
        SHA-256:BB5915E893B211C8C3EDAAABBFF410E54B37C53B7E478CC45410C900BE324D8F
        SHA-512:00F6429A03CD2C6099FCFF6CF79AF6AA1E73EC19740E2A89330399B559564CFB2B0014B3345B8EA6FF7F993985D6131F5F3440A107E33BB17F233F5EED9444D2
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.9.6.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER54A6.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.452465742872191
        Encrypted:false
        SSDEEP:48:cvIwSD8zseJgtWI9CAu9kWSC8BW8fm8M4JCds8F4ak+q8/pLJ4SrS8d:uITfUfAu99SNJJwkYJDW8d
        MD5:D31D6603740CE9CE6E0E696F86C22AC4
        SHA1:7AF324A5773DA231069ED96BB9301F1F9DDD1155
        SHA-256:D59E15291C5CDF0772FC20438B3A9B60730352A743F119A400A778B54FEFE044
        SHA-512:A21CC9C358CF1A676E433BEC513B409668CF52F4073794B535F90F401D08EA39D83E2B7BD288BD7C9B0F83115FA7ED3C392BF4B79A08336BDA0679C9E04E5AC5
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943118" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA0A.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:21 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):46500
        Entropy (8bit):2.0966181040226965
        Encrypted:false
        SSDEEP:192:wlUSxE+xIQgPV9wlTwENLdfjT45LQ4LKO0GeC/3lEDzAWgnCIF:ALPSRaGQT45lLheSVEuNF
        MD5:B5E76FE7CE8FD6D4307D1853FAF2F6DB
        SHA1:64981726DF130BE566D82F82A8187D66E1326FAD
        SHA-256:D86783105B9E35139FD4804CA936F773D19DADD0B5D86A8237407C779C79E01E
        SHA-512:EED406B29F0E29578C90FB01A8EDD1C51D4ABBE08806E40AE79E037344501A0C56F6FEE7316D53FE494C0A6298CDEAD45F8F762F3FD0D433C1EB5FEC7D18DF61
        Malicious:false
        Preview: MDMP....... ........Jt`...................U...........B......<.......GenuineIntelW...........T............Jt`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA48.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:21 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):44412
        Entropy (8bit):2.2018242460678756
        Encrypted:false
        SSDEEP:192:sJmCXdwHi3rJvRqWOtv/w+u3IntdnLQ4LKO0Ge9ikzSWZ3y0nlA:cftAI1pT3IHlLheAkzSa3Ju
        MD5:AF8F54F2D8735827C37F794B96787A7D
        SHA1:1CEAC03031CE26BFB9B6451D7D6A5D698BF9ADDF
        SHA-256:1E649645DCB02410D73B927846BCEB7AE95060E4121AC7BBCCF413497E2F4B44
        SHA-512:C010C35DD9612BF64F41BD93D188B83CBDD7E0D0F4CB737DE37E3B36EE31ECCACC36C9A783A41A4A54E016BFB9968936EAC7F89D54BF8FA87869B3313D99660A
        Malicious:false
        Preview: MDMP....... ........Jt`...................U...........B......<.......GenuineIntelW...........T............Jt`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC277.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8246
        Entropy (8bit):3.692815470892518
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNid8l6G6Y7b6T+gmfT5S3a+prx89bvgRsfXJVGm:RrlsNi26G6YH6qgmfT5S3YvgKfXLv
        MD5:EFF0134F045E46E1192474917C62C2A8
        SHA1:150210F8BEB107014D03BDA39C6E8B0096387AD2
        SHA-256:9DFC6C18094C27F0FABA373C78BCFB8766F8A5885C9BA29CAA2CC8BEB849E0C3
        SHA-512:79DCA8F941CEF2EC8B764CBC643DA37AF167FCD1D1E34F899621EFE0812B2CA1A11B34A8B4ED33C1741BCEAE2A9582CDF19D42FFF30CC9A3AD1347123F1143D8
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.6.8.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC371.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8242
        Entropy (8bit):3.6949087264063945
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiLz6N6YQNy6SgmfT5S3a+prC89bvgwsfxyVGm:RrlsNif6N6YQo6SgmfT5S3dvgDfx8v
        MD5:F12BE363E51A81F887EDF21839B285DA
        SHA1:DCE576D1D5A11D26C281DB1092F333D67027EF24
        SHA-256:BFFA931F6988EA1764084F5CB096E5B288691EF577D409C85D0E1DDCA59D07F2
        SHA-512:E38C2A93DA773DF57917C25A3831963D1B417B611069017AB756014CA4A9AFCCA2767ACBCF898C16B4DE21592ABA7351A99782415993ED790E66BACA624E73EB
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.8.0.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC566.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.457170834098322
        Encrypted:false
        SSDEEP:48:cvIwSD8zseJgtWI9CAu9kWSC8B7a8fm8M4JCdsHF7C+q8/pz4SrSkd:uITfUfAu99SNBvJSWDWkd
        MD5:699CC41587F86CAD1446EB8EA973833D
        SHA1:98EE477D0D7862B1CCB2E345D874856F147979F2
        SHA-256:B503E7817E567D1269EA282A68A19C9B4A851F24F490382A4C3617326ABC6B73
        SHA-512:EAA33FA55C1E06D3EDFEA65867E26480D3B1B3182CF84911B7ACD0A8B00A68FF3F8658ED53505063E434F552083FCFC64979814A4317FEA3501EA7689A8C1D60
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943118" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC65E.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:25 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):49520
        Entropy (8bit):2.3362085739645937
        Encrypted:false
        SSDEEP:192:O6siwtXlAB2U2cZ+0p0AMEiitHIoI0bLZHXLQ4LKO0GeQSEyPslknkb7:uiwtS2E+c0ZViH7lLheCyPsOkb7
        MD5:44CC6081D6CB80DF9AE9CEF179A6218A
        SHA1:17E065CBF0150334085C49E28EB92C5C41568281
        SHA-256:4AA10C796CA9DCAAF06F7A142C6E6EEE15B282A900D3D7D1E6FA2D5290010D7B
        SHA-512:41FB82BBE4E549612C59D2C4F95461EF198ABFA105C8995E41B161D1C7453EEC05ABDE090786D1331CC616DB116814FBEB5762192E6FA7C7FF700C421744F3FA
        Malicious:false
        Preview: MDMP....... ........Jt`...................U...........B......<.......GenuineIntelW...........T............Jt`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC68F.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.455212563263293
        Encrypted:false
        SSDEEP:48:cvIwSD8zseJgtWI9CAu9kWSC8BVa8fm8M4JCdsHFnbm+q8/pA4SrS5d:uITfUfAu99SNbvJDaRDW5d
        MD5:10F58E17A07F4E81B4A09BDB9E4483A1
        SHA1:6F19E9FCA58A6FE6B2D35C6B7870B524947760A6
        SHA-256:CDF44C3800A39E385C92BCA66A0C63439EE9421FA94A676AFC799CAD18C85DB8
        SHA-512:DAF7FA0F820EECE74DEE426F7B43F21E8C6240655ECCF8A801225983B31D64D36E19D77CF6D33B1CDCAF5DF3DA434CED0BF5C210F1D96A872DF9CCA540BD81D7
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943118" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4A7.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8262
        Entropy (8bit):3.693477261844468
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNil26s6Y7X56h+gmfT9S3a+pr089bv/asfvVvm:RrlsNiU6s6YD564gmfT9S33v/5ftO
        MD5:E499F2C76629836DBE1245A34BDC675B
        SHA1:D89C46F462AB2B12F286630D314EFFFB31B2536A
        SHA-256:7AC2E35783203637A969C6C3884A338C319B9E7B81D3150176EDE53CAA47EDA5
        SHA-512:8841073B5DDA7A8672A934A68CEA428FAF9BF01AD2E8A74DC35144AEBE356D43546F363E156CD73C273596294C642E4CE318218FA758B67220CD9FC4142FE9E4
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.4.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD94A.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 13:27:33 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):49112
        Entropy (8bit):2.3871068415769936
        Encrypted:false
        SSDEEP:192:L61unKtaaoL9Yy9R711PCe5PubwyA15PerEZfh96ceUEtLQ4LKO0Ge6o/Es8Uavu:21unKtm57119kA1ZUsTEVlLheth8/KR
        MD5:FF37B9362F711225B025C77558F322E6
        SHA1:DEF70241888A46D351941386D4DB89BB4F89DD94
        SHA-256:29B952E4749C3A2250F6C9BEDC86CF541E2C8E986F746334917C1B239EBA995D
        SHA-512:D0BC54E0D9AF94639E2C45A6AB5691230B881ABD3D514E7E7EB4E8A390C704C1C1CBD5FC0487B5EB1D8FBDB11E8B54AE956F866E97007DBD524EA75C228148F5
        Malicious:false
        Preview: MDMP....... ........Jt`...................U...........B......<.......GenuineIntelW...........T............Jt`.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA46.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.455873668706281
        Encrypted:false
        SSDEEP:48:cvIwSD8zseJgtWI9CAu9kWSC8Bz8fm8M4JCdszFM3o+q8/pX4SrSDd:uITfUfAu99SNGJsoaDWDd
        MD5:81BD8600CF33BA0CEBA52C9044BF5CBD
        SHA1:A29C85A9ABF035708DC3A87C8B7D1FC18449DD38
        SHA-256:91F66D129E2D66868908101BC39123E91FBD470A1D17C96C57BB6E8FFFA9D8D2
        SHA-512:3012A84D1F0FDC1A4B47C0BF7AEB7E47DE936A961AE0BCC355D9EB039B2D033FD63B216D6D324D32BABC60E60FB303137EB39FD159303743AB61C9027F579F1A
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943118" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2DE.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8266
        Entropy (8bit):3.6920657312157865
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiRW6TA6Y7h6ai+gmfT9S3a+pre89bvc5sf9mVam:RrlsNiw606Yd6abgmfT9S3RvcSfur
        MD5:8465DB4319C6F16F21998A5B1003D154
        SHA1:306148AF3F82C2A7CB8FE4039F7D7B3A32004A20
        SHA-256:2412CB9E17C290D6C7D8FBBF079618E9222C58824469AE796ED52965A205175C
        SHA-512:D6D1EC05B049239F1F861E0A9375ED94D5B3CC6B4084D5743D1B55522096C42C879DB3E1693FE7FDBAA4CD1E999972275C6F9E3B93A655E202216CCF8BC94D4E
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.9.2.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF957.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.456770616078265
        Encrypted:false
        SSDEEP:48:cvIwSD8zseJgtWI9CAu9kWSC8BJb8fm8M4JCdszF00+q8/pA4SrS8d:uITfUfAu99SN8JE0hDW8d
        MD5:DFDD032CDB874D482D455C803BE70853
        SHA1:C10B9EF458D0E6EDD93C4199DAEAE304D989432A
        SHA-256:29DEDB49059C487BFA7922710252B7842B1DF53B93F5262C835F08E2A59A064C
        SHA-512:287E90FBE5F63F5BF4850BB4298A90F9C1D9FD073196A98901865821D5B462D1FB0109C42E11AE27718D32B82277DA7A3186A70A03C25B49C28CFAAEF05A10EC
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943118" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

        Static File Info

        General

        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Entropy (8bit):6.246113418766052
        TrID:
        • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
        • Windows Screen Saver (13104/52) 1.29%
        • Generic Win/DOS Executable (2004/3) 0.20%
        • DOS Executable Generic (2002/1) 0.20%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:utility.dll
        File size:194296
        MD5:c84fd1069470c4f7cbcd9fa10fc32615
        SHA1:94ca6af9cae336754da47e2b8694a1f33db78e89
        SHA256:59d2ed9608ac543bd671da7b17558ebce275f64dd80fc84abd10fd31dea49c5e
        SHA512:f37f6eaf9f234fbe93619c72e7e012fb37b6b5779ff80c244fc19bd3bb628b0193d275c3e7f21d168fcb0f994a49c61169b11fde30819543092d09b41283903d
        SSDEEP:3072:+KEDvFkRNFycul5xjfMEOlL9M0Uiu+SeiMEvqrWB37d7YM1t7OrGsLZQm:2vF1fIL9M0UiuheZEyrWBrhYMzOrGOT
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.@A_i.A_i.A_i..}b.C_i.:Ce.@_i..Cg.W_i..@c.4_i..@b.K_i.A_i.K_i.A_h.._i..P4.P_i.G|c.C_i.G|b.Z_i...m.@_i.RichA_i................

        File Icon

        Icon Hash:74f0e4ecccdce0e4

        Static PE Info

        General

        Entrypoint:0x1001782f
        Entrypoint Section:.text
        Digitally signed:true
        Imagebase:0x10000000
        Subsystem:windows gui
        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
        DLL Characteristics:
        Time Stamp:0x55C07E95 [Tue Aug 4 08:57:57 2015 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f57837ddefd6a23c92486b80aca0917a

        Authenticode Signature

        Signature Valid:true
        Signature Issuer:CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
        Signature Validation Error:The operation completed successfully
        Error Number:0
        Not Before, Not After
        • 5/4/2015 2:00:00 AM 5/8/2016 1:59:59 AM
        Subject Chain
        • CN=Northcode Inc., OU=SECURE APPLICATION DEVELOPMENT, O=Northcode Inc., L=Ottawa, S=Ontario, C=CA
        Version:3
        Thumbprint MD5:C53B59F35C5767ABA434E5064C15AB35
        Thumbprint SHA-1:AB6E9D1997F370BB16124928C4817BBC196BE3FA
        Thumbprint SHA-256:653E2B5E0DC1BBD9E0696457D74C4CADF306AEB7BC8AE16B0CD9A15E9700605A
        Serial:7EFA7BCE3063E7499CE40F37454B10A6

        Entrypoint Preview

        Instruction
        push ebp
        mov ebp, esp
        push ebx
        mov ebx, dword ptr [ebp+08h]
        push esi
        mov esi, dword ptr [ebp+0Ch]
        push edi
        mov edi, dword ptr [ebp+10h]
        test esi, esi
        jne 00007F5100A106DBh
        cmp dword ptr [1002ED14h], 00000000h
        jmp 00007F5100A106F8h
        cmp esi, 01h
        je 00007F5100A106D7h
        cmp esi, 02h
        jne 00007F5100A106F4h
        mov eax, dword ptr [1002F444h]
        test eax, eax
        je 00007F5100A106DBh
        push edi
        push esi
        push ebx
        call eax
        test eax, eax
        je 00007F5100A106DEh
        push edi
        push esi
        push ebx
        call 00007F5100A105BCh
        test eax, eax
        jne 00007F5100A106D6h
        xor eax, eax
        jmp 00007F5100A10720h
        push edi
        push esi
        push ebx
        call 00007F51009FBDB6h
        cmp esi, 01h
        mov dword ptr [ebp+0Ch], eax
        jne 00007F5100A106DEh
        test eax, eax
        jne 00007F5100A10709h
        push edi
        push eax
        push ebx
        call 00007F5100A10598h
        test esi, esi
        je 00007F5100A106D7h
        cmp esi, 03h
        jne 00007F5100A106F8h
        push edi
        push esi
        push ebx
        call 00007F5100A10587h
        test eax, eax
        jne 00007F5100A106D5h
        and dword ptr [ebp+0Ch], eax
        cmp dword ptr [ebp+0Ch], 00000000h
        je 00007F5100A106E3h
        mov eax, dword ptr [1002F444h]
        test eax, eax
        je 00007F5100A106DAh
        push edi
        push esi
        push ebx
        call eax
        mov dword ptr [ebp+0Ch], eax
        mov eax, dword ptr [ebp+0Ch]
        pop edi
        pop esi
        pop ebx
        pop ebp
        retn 000Ch
        mov eax, dword ptr [1002ED20h]
        cmp eax, 01h
        je 00007F5100A106DFh
        test eax, eax
        jne 00007F5100A106E0h
        cmp dword ptr [1002ED24h], 01h
        jne 00007F5100A106D7h
        call 00007F5100A14B12h
        push dword ptr [esp+04h]
        call 00007F5100A14B42h
        push 000000FFh

        Rich Headers

        Programming Language:
        • [LNK] VC++ 6.0 SP5 build 8804

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x240200xa3c.rdata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x231d80xb4.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x2e0000x16f8.data
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x310000x16dc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x200000x2d0.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x1efe90x1f000False0.54097624748data6.67713038792IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rdata0x200000x4a5c0x5000False0.51171875data5.97801634413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x250000xb4640x6000False0.198323567708data2.64122400209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .reloc0x310000x20ea0x3000False0.399332682292data4.07308642566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Imports

        DLLImport
        USER32.dllLoadCursorA, GetCursor, LoadImageA, UnregisterClassA, CreateWindowExA, RegisterClassA, DestroyWindow, DispatchMessageA, GetMessageA, PostMessageA, DefWindowProcA, GetWindowDC, OffsetRect, UnionRect, IntersectRect, ValidateRect, RedrawWindow, InvalidateRect, GetWindowLongA, SetWindowLongA, SetWindowRgn, GetDC, ReleaseDC, GetWindowRect, GetClientRect, ClientToScreen, SetRect, MessageBoxA, wsprintfA
        KERNEL32.dllCloseHandle, ReadFile, WriteFile, CreateFileA, GetFullPathNameA, DeleteFileA, LocalFree, LocalAlloc, GetFileSize, SetFilePointer, SetThreadPriority, GetThreadPriority, QueryPerformanceCounter, QueryPerformanceFrequency, GetCurrentThread, FreeLibrary, GetProcAddress, LoadLibraryA, GetLastError, SetFileAttributesA, GetFileAttributesA, lstrcpynA, lstrlenA, lstrcpyA, SystemTimeToFileTime, GetSystemTime, CompareFileTime, WideCharToMultiByte, MultiByteToWideChar, CreateThread, GetStringTypeW, GetTickCount, SetSystemTime, FileTimeToSystemTime, HeapFree, HeapAlloc, GetProcessHeap, GetVersion, GetStartupInfoA, GetCurrentProcess, GetModuleHandleA, SetLastError, GetVersionExA, CreateProcessA, GetStringTypeA, LCMapStringW, LCMapStringA, HeapSize, TerminateProcess, TlsGetValue, TlsFree, TlsAlloc, TlsSetValue, GetCurrentThreadId, ExitProcess, DeleteCriticalSection, InitializeCriticalSection, SetHandleCount, GetStdHandle, GetFileType, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetUnhandledExceptionFilter, IsBadReadPtr, RaiseException, IsBadCodePtr, GetCPInfo, FlushFileBuffers, SetStdHandle, GetACP, GetOEMCP, CompareStringA, CompareStringW, SetEnvironmentVariableA, ExitThread, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetModuleFileNameA, GetCommandLineA, LeaveCriticalSection, EnterCriticalSection, GetLocalTime, RtlUnwind, HeapReAlloc, InterlockedDecrement, InterlockedIncrement, GetTimeZoneInformation
        WSOCK32.dllWSACleanup, listen, bind, htons, closesocket, WSAAsyncSelect, socket, WSAGetLastError, accept, recv, send, connect, gethostbyname, WSAStartup
        GDI32.dllGetObjectA, GetDIBits, OffsetRgn, BitBlt, DeleteDC, CreateCompatibleDC, SelectObject, ExtCreateRegion, CreateDIBSection, GetRegionData, CreateRectRgn, CombineRgn, DeleteObject, GetDeviceCaps
        ADVAPI32.dllRegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, IsValidSid, EqualSid, GetSidSubAuthorityCount, GetSidLengthRequired, GetSidIdentifierAuthority, InitializeSid, GetSidSubAuthority, GetTokenInformation
        ole32.dllStgIsStorageFile, StgOpenStorage
        OLEAUT32.dllSysAllocString, SysStringByteLen, SysAllocStringByteLen, SysAllocStringLen, GetErrorInfo
        NETAPI32.dllNetUserModalsGet, NetApiBufferFree

        Exports

        NameOrdinalAddress
        CPUSpeed10x100019d0
        Decrypt30x10001f10
        Decrypt2BinStr20x10001ff0
        DecryptEx40x10001eb0
        Deflate50x100013b0
        DeflateToMemory60x100018a0
        DirectDrawEnumDisplayModes70x100026b0
        DirectDrawIsSupported80x10002560
        DirectDrawRestoreDisplayMode90x10002650
        DirectDrawSetDisplayMode100x100025c0
        DirectoryAdd110x10002870
        DirectoryClear120x10002830
        DirectoryDump130x10002820
        DirectoryLoadFile150x10002a70
        DirectoryLoadFile2140x10002b80
        DirectoryReadFileChunk160x10002de0
        DirectorySaveFile170x10002e40
        Encrypt180x10001d30
        EncryptEx190x10001e50
        FLAGetVersion200x10003310
        FLAOpenFile210x10002f80
        FileDecrypt220x10002290
        FileEncrypt230x10002170
        Hash240x10001c00
        Inflate250x100013d0
        InflateHeader260x10001460
        InflateHeaderFromBuffer270x10001640
        InflateToMemory280x10001780
        IsCursorARROW290x100023e0
        IsCursorIBEAM300x100023f0
        NetworkListMACs310x100066d0
        PluginDispatch320x100036b0
        PluginDispatchEx330x100036e0
        PluginDispatchSync340x10003710
        PluginDispatchSyncEx350x10003750
        PluginGet360x100035a0
        PluginOnLoad370x10003650
        PluginOnUnload380x10003680
        PluginSet390x100035e0
        PluginSetEx400x10003610
        RegionSave410x10003cd0
        RegionScan420x100037b0
        RegionScanEx430x10003ac0
        SecurityAddDays440x100047c0
        SecurityDelete450x10004430
        SecurityGetExpiryDate460x100041b0
        SecurityGetExpiryFlag470x10004170
        SecurityGetTimeNow480x10004270
        SecurityGetUserData490x10004210
        SecurityIsExpired500x10004290
        SecurityIsFirstRun510x10004150
        SecurityLoad520x10003e90
        SecurityReset530x100046a0
        SecuritySave540x10004340
        SecuritySetExpiryDate550x100041e0
        SecuritySetExpiryFlag560x10004190
        SecuritySetUserData570x10004240
        SecurityWipeMemory580x10004470
        ServerGetPort730x10004d60
        ServerGetWindow740x10004d50
        ServerIsListening750x10004d70
        ServerListen760x10004a80
        ServerListenOnPort770x10004b60
        ServerSetVirtualRoot780x10004d80
        ServerStart790x10004990
        ServerStop800x10004cd0
        SysInfoGetAdaptersInfo590x10006db0
        Test600x10007220
        TimeGetFileTime610x10006b40
        TimeSync620x10006cc0
        ToolsChangeWindowMessageFilter630x10007920
        ToolsGetDefaultPrinter640x100077f0
        ToolsGetProcessMemoryInfo650x100076f0
        ToolsGetStartupWindowState660x100072b0
        ToolsIsUserAnAdmin670x100073e0
        ToolsLockWorkStation680x10007240
        ToolsReleaseMemory690x10007660
        ToolsSetDefaultPrinter700x100078c0
        ToolsValidateUserCredentials710x100077d0
        TransparentAttachChild810x10007db0
        TransparentBegin820x10007c50
        TransparentBringToFront830x10007e10
        TransparentDetachChild840x10007dd0
        TransparentEnable850x10007c80
        TransparentEnd860x10007e30
        TransparentForceMaskedMode870x10007ca0
        TransparentFreeze880x10007d40
        TransparentIsMaskedMode890x10007cc0
        TransparentSetBackgroundColor900x10007d20
        TransparentSetChildPos910x10007df0
        TransparentSetColorDepth920x10007d00
        TransparentSetQuality930x10007ce0
        TransparentWMPaint940x10007d60
        UtilityIsLoaded720x10002f70

        Network Behavior

        Network Port Distribution

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Apr 12, 2021 15:27:10.463754892 CEST4925753192.168.2.48.8.8.8
        Apr 12, 2021 15:27:10.523483038 CEST53492578.8.8.8192.168.2.4
        Apr 12, 2021 15:27:12.358792067 CEST6238953192.168.2.48.8.8.8
        Apr 12, 2021 15:27:12.407529116 CEST53623898.8.8.8192.168.2.4
        Apr 12, 2021 15:27:16.026741028 CEST4991053192.168.2.48.8.8.8
        Apr 12, 2021 15:27:16.078315020 CEST53499108.8.8.8192.168.2.4
        Apr 12, 2021 15:27:17.805026054 CEST5585453192.168.2.48.8.8.8
        Apr 12, 2021 15:27:17.856899023 CEST53558548.8.8.8192.168.2.4
        Apr 12, 2021 15:27:18.736902952 CEST6454953192.168.2.48.8.8.8
        Apr 12, 2021 15:27:18.785651922 CEST53645498.8.8.8192.168.2.4
        Apr 12, 2021 15:27:22.220108986 CEST6315353192.168.2.48.8.8.8
        Apr 12, 2021 15:27:22.268802881 CEST53631538.8.8.8192.168.2.4
        Apr 12, 2021 15:27:25.909408092 CEST5299153192.168.2.48.8.8.8
        Apr 12, 2021 15:27:25.969369888 CEST53529918.8.8.8192.168.2.4
        Apr 12, 2021 15:27:27.293838024 CEST5370053192.168.2.48.8.8.8
        Apr 12, 2021 15:27:27.342792034 CEST53537008.8.8.8192.168.2.4
        Apr 12, 2021 15:27:29.895832062 CEST5172653192.168.2.48.8.8.8
        Apr 12, 2021 15:27:29.947455883 CEST53517268.8.8.8192.168.2.4
        Apr 12, 2021 15:27:30.123728037 CEST5679453192.168.2.48.8.8.8
        Apr 12, 2021 15:27:30.172540903 CEST53567948.8.8.8192.168.2.4
        Apr 12, 2021 15:27:39.439891100 CEST5653453192.168.2.48.8.8.8
        Apr 12, 2021 15:27:39.488693953 CEST53565348.8.8.8192.168.2.4
        Apr 12, 2021 15:27:40.642024040 CEST5662753192.168.2.48.8.8.8
        Apr 12, 2021 15:27:40.693648100 CEST53566278.8.8.8192.168.2.4
        Apr 12, 2021 15:27:43.922452927 CEST5662153192.168.2.48.8.8.8
        Apr 12, 2021 15:27:43.971477032 CEST53566218.8.8.8192.168.2.4
        Apr 12, 2021 15:27:47.616653919 CEST6311653192.168.2.48.8.8.8
        Apr 12, 2021 15:27:47.675599098 CEST53631168.8.8.8192.168.2.4
        Apr 12, 2021 15:27:56.377962112 CEST6407853192.168.2.48.8.8.8
        Apr 12, 2021 15:27:56.426784039 CEST53640788.8.8.8192.168.2.4
        Apr 12, 2021 15:28:02.646528959 CEST6480153192.168.2.48.8.8.8
        Apr 12, 2021 15:28:02.709189892 CEST53648018.8.8.8192.168.2.4
        Apr 12, 2021 15:28:03.089715958 CEST6172153192.168.2.48.8.8.8
        Apr 12, 2021 15:28:03.094371080 CEST5125553192.168.2.48.8.8.8
        Apr 12, 2021 15:28:03.146033049 CEST53512558.8.8.8192.168.2.4
        Apr 12, 2021 15:28:03.161860943 CEST53617218.8.8.8192.168.2.4
        Apr 12, 2021 15:28:03.456290007 CEST6152253192.168.2.48.8.8.8
        Apr 12, 2021 15:28:03.517818928 CEST53615228.8.8.8192.168.2.4
        Apr 12, 2021 15:28:03.640702963 CEST5233753192.168.2.48.8.8.8
        Apr 12, 2021 15:28:03.697858095 CEST53523378.8.8.8192.168.2.4
        Apr 12, 2021 15:28:04.143016100 CEST5504653192.168.2.48.8.8.8
        Apr 12, 2021 15:28:04.200367928 CEST53550468.8.8.8192.168.2.4
        Apr 12, 2021 15:28:04.627767086 CEST4961253192.168.2.48.8.8.8
        Apr 12, 2021 15:28:04.684884071 CEST53496128.8.8.8192.168.2.4
        Apr 12, 2021 15:28:06.241982937 CEST4928553192.168.2.48.8.8.8
        Apr 12, 2021 15:28:06.303272009 CEST53492858.8.8.8192.168.2.4
        Apr 12, 2021 15:28:06.663604975 CEST5060153192.168.2.48.8.8.8
        Apr 12, 2021 15:28:06.716243029 CEST53506018.8.8.8192.168.2.4
        Apr 12, 2021 15:28:08.210874081 CEST6087553192.168.2.48.8.8.8
        Apr 12, 2021 15:28:08.307351112 CEST53608758.8.8.8192.168.2.4
        Apr 12, 2021 15:28:10.036842108 CEST5644853192.168.2.48.8.8.8
        Apr 12, 2021 15:28:10.131952047 CEST53564488.8.8.8192.168.2.4
        Apr 12, 2021 15:28:10.648545027 CEST5917253192.168.2.48.8.8.8
        Apr 12, 2021 15:28:10.716948986 CEST53591728.8.8.8192.168.2.4
        Apr 12, 2021 15:28:11.577315092 CEST6242053192.168.2.48.8.8.8
        Apr 12, 2021 15:28:11.626153946 CEST53624208.8.8.8192.168.2.4
        Apr 12, 2021 15:28:12.112710953 CEST6057953192.168.2.48.8.8.8
        Apr 12, 2021 15:28:12.169935942 CEST53605798.8.8.8192.168.2.4
        Apr 12, 2021 15:28:12.682240009 CEST5018353192.168.2.48.8.8.8
        Apr 12, 2021 15:28:12.791203976 CEST53501838.8.8.8192.168.2.4
        Apr 12, 2021 15:28:12.877532959 CEST6153153192.168.2.48.8.8.8
        Apr 12, 2021 15:28:12.926136971 CEST53615318.8.8.8192.168.2.4
        Apr 12, 2021 15:28:13.218595028 CEST4922853192.168.2.48.8.8.8
        Apr 12, 2021 15:28:13.275599003 CEST53492288.8.8.8192.168.2.4
        Apr 12, 2021 15:28:13.891577959 CEST5979453192.168.2.48.8.8.8
        Apr 12, 2021 15:28:13.948900938 CEST53597948.8.8.8192.168.2.4
        Apr 12, 2021 15:28:14.660521030 CEST5591653192.168.2.48.8.8.8
        Apr 12, 2021 15:28:14.718916893 CEST53559168.8.8.8192.168.2.4
        Apr 12, 2021 15:28:15.253689051 CEST5275253192.168.2.48.8.8.8
        Apr 12, 2021 15:28:15.302344084 CEST53527528.8.8.8192.168.2.4
        Apr 12, 2021 15:28:15.486116886 CEST6054253192.168.2.48.8.8.8
        Apr 12, 2021 15:28:15.540204048 CEST53605428.8.8.8192.168.2.4
        Apr 12, 2021 15:28:17.129343987 CEST6068953192.168.2.48.8.8.8
        Apr 12, 2021 15:28:17.200845003 CEST53606898.8.8.8192.168.2.4
        Apr 12, 2021 15:28:18.091464043 CEST6420653192.168.2.48.8.8.8
        Apr 12, 2021 15:28:18.143312931 CEST53642068.8.8.8192.168.2.4
        Apr 12, 2021 15:28:18.238210917 CEST5090453192.168.2.48.8.8.8
        Apr 12, 2021 15:28:18.297113895 CEST53509048.8.8.8192.168.2.4
        Apr 12, 2021 15:28:20.888122082 CEST5752553192.168.2.48.8.8.8
        Apr 12, 2021 15:28:20.937088013 CEST53575258.8.8.8192.168.2.4
        Apr 12, 2021 15:28:21.680794954 CEST5381453192.168.2.48.8.8.8
        Apr 12, 2021 15:28:21.742914915 CEST53538148.8.8.8192.168.2.4
        Apr 12, 2021 15:28:25.864119053 CEST5341853192.168.2.48.8.8.8
        Apr 12, 2021 15:28:25.921968937 CEST53534188.8.8.8192.168.2.4
        Apr 12, 2021 15:28:25.971663952 CEST6283353192.168.2.48.8.8.8
        Apr 12, 2021 15:28:25.990525007 CEST5926053192.168.2.48.8.8.8
        Apr 12, 2021 15:28:26.037436962 CEST53628338.8.8.8192.168.2.4
        Apr 12, 2021 15:28:26.070878029 CEST53592608.8.8.8192.168.2.4
        Apr 12, 2021 15:28:26.764676094 CEST4994453192.168.2.48.8.8.8
        Apr 12, 2021 15:28:26.813457966 CEST53499448.8.8.8192.168.2.4
        Apr 12, 2021 15:28:44.894730091 CEST6330053192.168.2.48.8.8.8
        Apr 12, 2021 15:28:44.943419933 CEST53633008.8.8.8192.168.2.4
        Apr 12, 2021 15:28:46.601078987 CEST6144953192.168.2.48.8.8.8
        Apr 12, 2021 15:28:46.652355909 CEST53614498.8.8.8192.168.2.4
        Apr 12, 2021 15:28:47.757010937 CEST5127553192.168.2.48.8.8.8
        Apr 12, 2021 15:28:47.805697918 CEST53512758.8.8.8192.168.2.4
        Apr 12, 2021 15:28:48.745296955 CEST6349253192.168.2.48.8.8.8
        Apr 12, 2021 15:28:48.793936968 CEST53634928.8.8.8192.168.2.4
        Apr 12, 2021 15:28:53.557626009 CEST5894553192.168.2.48.8.8.8
        Apr 12, 2021 15:28:53.607558012 CEST53589458.8.8.8192.168.2.4
        Apr 12, 2021 15:28:54.168512106 CEST6077953192.168.2.48.8.8.8
        Apr 12, 2021 15:28:54.218209028 CEST53607798.8.8.8192.168.2.4
        Apr 12, 2021 15:28:54.253176928 CEST6401453192.168.2.48.8.8.8
        Apr 12, 2021 15:28:54.312875986 CEST53640148.8.8.8192.168.2.4
        Apr 12, 2021 15:28:55.113812923 CEST5709153192.168.2.48.8.8.8
        Apr 12, 2021 15:28:55.162693024 CEST53570918.8.8.8192.168.2.4
        Apr 12, 2021 15:28:56.338979959 CEST5590453192.168.2.48.8.8.8
        Apr 12, 2021 15:28:56.387799025 CEST53559048.8.8.8192.168.2.4

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Apr 12, 2021 15:28:02.709189892 CEST8.8.8.8192.168.2.40x4981No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
        Apr 12, 2021 15:28:03.161860943 CEST8.8.8.8192.168.2.40x3e44No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
        Apr 12, 2021 15:28:03.697858095 CEST8.8.8.8192.168.2.40x4436No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
        Apr 12, 2021 15:28:04.200367928 CEST8.8.8.8192.168.2.40x155aNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
        Apr 12, 2021 15:28:25.921968937 CEST8.8.8.8192.168.2.40x88b1No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

        Code Manipulations

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: loaddll32.exe PID: 6788 Parent PID: 6040

        General

        Start time:15:27:14
        Start date:12/04/2021
        Path:C:\Windows\System32\loaddll32.exe
        Wow64 process (32bit):true
        Commandline:loaddll32.exe 'C:\Users\user\Desktop\utility.dll'
        Imagebase:0x210000
        File size:116736 bytes
        MD5 hash:542795ADF7CC08EFCF675D65310596E8
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate

        Analysis Process: cmd.exe PID: 6836 Parent PID: 6788

        General

        Start time:15:27:14
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
        Imagebase:0x11d0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 6868 Parent PID: 6788

        General

        Start time:15:27:15
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 6880 Parent PID: 6836

        General

        Start time:15:27:15
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 7020 Parent PID: 6880

        General

        Start time:15:27:17
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 696
        Imagebase:0xbf0000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 7060 Parent PID: 6868

        General

        Start time:15:27:17
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 688
        Imagebase:0xbf0000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 7124 Parent PID: 6788

        General

        Start time:15:27:18
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 6080 Parent PID: 7124

        General

        Start time:15:27:20
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 688
        Imagebase:0xbf0000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 3492 Parent PID: 6788

        General

        Start time:15:27:21
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 4544 Parent PID: 3492

        General

        Start time:15:27:23
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 688
        Imagebase:0xbf0000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 4264 Parent PID: 6788

        General

        Start time:15:27:25
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 6384 Parent PID: 6788

        General

        Start time:15:27:28
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 6528 Parent PID: 6788

        General

        Start time:15:27:32
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 6656 Parent PID: 6788

        General

        Start time:15:27:35
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 6136 Parent PID: 6788

        General

        Start time:15:27:39
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 6308 Parent PID: 6788

        General

        Start time:15:27:42
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 4108 Parent PID: 6788

        General

        Start time:15:27:45
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 6096 Parent PID: 6788

        General

        Start time:15:27:49
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: WerFault.exe PID: 4612 Parent PID: 6096

        General

        Start time:15:27:51
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 688
        Imagebase:0xbf0000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 6672 Parent PID: 6788

        General

        Start time:15:27:53
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 7064 Parent PID: 6788

        General

        Start time:15:27:56
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
        Imagebase:0x9b0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Disassembly

        Code Analysis

        Reset < >