Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report utility.dll

Overview

General Information

Sample Name:utility.dll
Analysis ID:385485
MD5:c84fd1069470c4f7cbcd9fa10fc32615
SHA1:94ca6af9cae336754da47e2b8694a1f33db78e89
SHA256:59d2ed9608ac543bd671da7b17558ebce275f64dd80fc84abd10fd31dea49c5e
Infos:

Most interesting Screenshot:

Detection

Score:8
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample crashes during execution, try analyze it on another analysis machine
Sample may be VM or Sandbox-aware, try analysis on a native machine



Startup

  • System is w10x64
  • loaddll32.exe (PID: 3664 cmdline: loaddll32.exe 'C:\Users\user\Desktop\utility.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4080 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 908 cmdline: rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 1956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 696 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 460 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5360 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4120 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5436 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5988 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 4928 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3580 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1268 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 3512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 3352 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5716 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5324 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3544 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6220 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 688 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6356 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6444 cmdline: rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002170 FileEncrypt,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002290 FileDecrypt,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001D30 Encrypt,SysAllocStringLen,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001E50 EncryptEx,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001EB0 DecryptEx,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001F10 Decrypt,SysAllocStringLen,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001FF0 Decrypt2BinStr,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10002170 FileEncrypt,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10002290 FileDecrypt,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001D30 Encrypt,SysAllocStringLen,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001E50 EncryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001EB0 DecryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001F10 Decrypt,SysAllocStringLen,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10001FF0 Decrypt2BinStr,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10002170 FileEncrypt,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10002290 FileDecrypt,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10004340 SecuritySave,CompareFileTime,CompareFileTime,CompareFileTime,EncryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10001D30 Encrypt,SysAllocStringLen,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10001E50 EncryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10001EB0 DecryptEx,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10001F10 Decrypt,SysAllocStringLen,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10001FF0 Decrypt2BinStr,
Source: utility.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: utility.dllStatic PE information: certificate valid
Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
Source: utility.dllString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: utility.dllString found in binary or memory: http://ocsp.thawte.com0
Source: utility.dllString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: utility.dllString found in binary or memory: http://t2.symcb.com0
Source: utility.dllString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: utility.dllString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: utility.dllString found in binary or memory: http://tl.symcd.com0&
Source: utility.dllString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: utility.dllString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: utility.dllString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: utility.dllString found in binary or memory: https://www.thawte.com/cps0/
Source: utility.dllString found in binary or memory: https://www.thawte.com/repository0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10005830
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100120C0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10013160
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001E96D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100019D0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100151D2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B9E0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10011A80
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B390
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100143C1
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10009400
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BC30
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10011470
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10018507
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014D10
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10015D40
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10015590
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10014610
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000BE90
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000B6E0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002F80
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10013790
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010FC0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000AFF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100019D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10005830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100120C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013160
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001E96D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100151D2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B9E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B390
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100143C1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10009400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BC30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10011470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10018507
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10014D10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10015D40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10015590
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10014610
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000B6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10013790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10010FC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1000AFF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10005830
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_100120C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10013160
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1001E96D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_100019D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_100151D2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1000B9E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10011A80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1000B390
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_100143C1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10009400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1000BC30
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10011470
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10018507
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10014D10
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10015D40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10015590
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10014610
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1000BE90
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1000B6E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10002F80
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10013790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10010FC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1000AFF0
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 688
Source: utility.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: classification engineClassification label: clean8.winDLL@51/32@1/0
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4120
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6220
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess460
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4928
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess908
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5436
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5988
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1268
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD60F.tmpJump to behavior
Source: utility.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\win.ini
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\utility.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 688
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 696
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 688
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: utility.dllStatic PE information: certificate valid
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10016730 push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10016730 push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10016730 push eax; ret
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000CA50 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100019D0 rdtsc
Source: C:\Windows\System32\loaddll32.exeCode function: SysInfoGetAdaptersInfo,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: SysInfoGetAdaptersInfo,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: SysInfoGetAdaptersInfo,LoadLibraryA,GetProcAddress,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 1.4 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.3 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 0.9 %
Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
Source: C:\Windows\System32\loaddll32.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100019D0 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_100019D0 CPUSpeed,LdrInitializeThunk,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,GetThreadPriority,SetThreadPriority,QueryPerformanceCounter,QueryPerformanceCounter,SetThreadPriority,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100078C0 ToolsSetDefaultPrinter,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000ABF0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,CloseHandle,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001C4FB SetUnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001C50D SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001C4FB SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_1001C50D SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1001C4FB SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_1001C50D SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
Source: loaddll32.exe, 00000000.00000002.589316441.00000000011F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.589316441.00000000011F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.589316441.00000000011F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.589316441.00000000011F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10003E90 SecurityLoad,SecurityWipeMemory,GetSystemTime,SystemTimeToFileTime,wsprintfA,lstrcpyA,wsprintfA,wsprintfA,lstrlenA,lstrcpyA,lstrcpynA,DecryptEx,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001D1A2 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10017756 GetVersion,GetCommandLineA,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10004D70 ServerIsListening,
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004D70 ServerIsListening,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10004A80 ServerListen,_rand,__ftol,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10004B60 ServerListenOnPort,DestroyWindow,UnregisterClassA,CreateThread,DestroyWindow,UnregisterClassA,WSACleanup,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10004D70 ServerIsListening,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 33_2_10004DE0 socket,WSAAsyncSelect,closesocket,htons,bind,closesocket,listen,closesocket,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Application Shimming1Process Injection12Virtualization/Sandbox Evasion12OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Process Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsVirtualization/Sandbox Evasion12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385485 Sample: utility.dll Startdate: 12/04/2021 Architecture: WINDOWS Score: 8 34 clientconfig.passport.net 2->34 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 11 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 9 12->20         started        22 WerFault.exe 6 9 14->22         started        24 WerFault.exe 9 16->24         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 16->28         started        30 2 other processes 16->30 process6 32 WerFault.exe 19 11 18->32         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
utility.dll0%VirustotalBrowse
utility.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
clientconfig.passport.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
clientconfig.passport.net
unknown
unknownfalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.thawte.com/repository0utility.dllfalse
    		high
    http://crl.thawte.com/ThawteTimestampingCA.crl0utility.dllfalse
      		high
      https://www.thawte.com/cps0/utility.dllfalse
        		high
        http://ocsp.thawte.com0utility.dllfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown

        Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:385485
        Start date:12.04.2021
        Start time:15:36:36
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 9m 33s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:utility.dll
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:40
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:CLEAN
        Classification:clean8.winDLL@51/32@1/0
        EGA Information:
        • Successful, ratio: 60%
        HDC Information:
        • Successful, ratio: 100% (good quality ratio 96%)
        • Quality average: 85%
        • Quality standard deviation: 24.5%
        HCA Information:
        • Successful, ratio: 75%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Sleeps bigger than 120000ms are automatically reduced to 1000ms
        • Found application associated with file extension: .dll
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.139.144, 168.61.161.212, 20.190.160.135, 20.190.160.3, 20.190.160.5, 20.190.160.72, 20.190.160.130, 20.190.160.70, 20.190.160.9, 20.190.160.7, 40.126.31.142, 40.126.31.3, 20.190.159.131, 40.126.31.136, 40.126.31.7, 40.126.31.138, 20.190.159.133, 40.126.31.140, 40.126.31.141, 40.126.31.137, 20.190.159.132, 40.126.31.4, 20.190.159.138, 20.190.159.134, 40.126.31.6, 40.126.31.135, 20.50.102.62, 13.64.90.137, 184.30.24.56, 92.122.213.194, 92.122.213.247, 88.221.62.148, 92.123.150.225, 20.54.26.129, 20.82.210.154, 104.43.193.48, 20.82.209.183, 52.155.217.156
        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, msagfx.live.com-6.edgekey.net, authgfx.msa.akadns6.net, go.microsoft.com, login.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, dub2.current.a.prd.aadg.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
        • Execution Graph export aborted for target rundll32.exe, PID 1268 because there are no executed function
        • Execution Graph export aborted for target rundll32.exe, PID 4928 because there are no executed function
        • Report size exceeded maximum capacity and may have missing behavior information.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1a1eb18902f2cde56c230bea1f2d46b66fdcaf_82810a17_07c90a00\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12316
        Entropy (8bit):3.7670478879483698
        Encrypted:false
        SSDEEP:192:zyi60oXHR+HBUZMX4jed+h+/u7sHS274ItWc4:eisXwBUZMX4jes+/u7sHX4ItWc4
        MD5:3739D5CB15C54D39E0AD41B058ACEFBB
        SHA1:3C8AA7B070843389630656CEB320FD0E33126BB4
        SHA-256:DABE06FEF7238F688E262C2AD6F0091A8A251A8772E0C5BBB793DD0F533216F3
        SHA-512:EC3D02A8ABCACDE4DE77C8A4116534DDFBCB655CFBC9C0BBF686E02DBA9B5C64B36EE081F4AFBECC525F4A2DF1FE1AD60FB7858DE32A5427808DD2A426A62626
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.4.0.6.4.2.9.4.2.7.0.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.4.0.6.4.3.8.4.8.9.5.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.0.c.a.2.a.5.-.7.f.e.b.-.4.4.5.1.-.a.b.a.f.-.5.6.b.b.7.3.1.d.3.6.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.1.5.c.2.9.0.-.d.9.a.2.-.4.1.7.a.-.a.0.e.d.-.c.7.9.8.2.6.6.3.b.9.3.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.8.c.-.0.0.0.1.-.0.0.1.7.-.3.0.6.c.-.8.d.6.6.e.c.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_1a1eb18902f2cde56c230bea1f2d46b66fdcaf_82810a17_149cdf75\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12316
        Entropy (8bit):3.7661877574680434
        Encrypted:false
        SSDEEP:192:hw2i/0oXfR+HBUZMX4jed+h+/u7sHS274ItWck:G2iBXIBUZMX4jes+/u7sHX4ItWck
        MD5:B3E686E1B3CD967341B02DCF749ACE32
        SHA1:3EE9654A866AC0AE1E2DF834EC0F925EDE86F2CC
        SHA-256:CE2FDD0FC85642F82D811D320D5000A978A17E4A2C8AD7124AA6F1C9E52BAD6E
        SHA-512:BBCD1EBFB1E2C79352C268246E1DA7363721DD5F0885A720BF44371183B7D7BAB6245DFA8E8A7DA013B35D9F7DD8AF7BECAD152AEB703123C4F088B5658FA9CB
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.4.0.6.4.2.8.4.8.9.5.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.4.0.6.4.3.6.9.2.7.0.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.0.5.a.2.2.1.-.3.a.3.3.-.4.8.6.8.-.9.e.5.0.-.b.e.8.e.a.6.3.0.b.0.e.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.2.0.9.c.6.d.-.2.a.5.4.-.4.7.2.0.-.a.f.4.a.-.5.3.5.c.b.5.c.a.b.e.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.c.c.-.0.0.0.1.-.0.0.1.7.-.2.3.0.f.-.8.a.6.6.e.c.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_35213f9598763c4410dce51d5b87d739df16f5ab_82810a17_0dd51c5f\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12320
        Entropy (8bit):3.766832839700023
        Encrypted:false
        SSDEEP:192:jIie0oXgFHBUZMX4jed+h+/u7sHS274ItWcB:cioXwBUZMX4jec+/u7sHX4ItWcB
        MD5:427FAB10FF298CDCE88B1F3AEDA166FA
        SHA1:C23339EE9E8781488D2B2D348561A5AB9B973208
        SHA-256:BA0B85C367E5D2355C284069675EACBBCBDBBC9C70E7E382AFD2766B6C34F4CC
        SHA-512:5AC9C7ED476E191CA3C635C3B1A5E817B1ED6A442D7EC76FBECD7CF35F90713510C92CB83707D1E411E4CE9011317EEA6166A5918AB02C2C12A87F9E89A81A06
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.4.0.6.5.9.2.0.8.2.8.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.4.0.6.5.9.8.9.5.7.8.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.7.8.4.2.e.7.-.a.8.0.c.-.4.e.a.6.-.8.c.3.3.-.7.e.a.1.8.a.1.b.4.b.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.0.6.d.2.0.5.-.d.7.d.0.-.4.7.4.8.-.8.1.2.c.-.d.6.5.3.5.e.a.2.c.8.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.f.4.-.0.0.0.1.-.0.0.1.7.-.c.d.5.d.-.6.7.7.0.e.c.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_3cc1cbeb22cf5bba1b683f1de9c66cedfb1a534_82810a17_14850146\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12318
        Entropy (8bit):3.7680524054368094
        Encrypted:false
        SSDEEP:192:OuNnciav0oXfEHBUZMX4jed+h+/u7sHS274ItWcI:TciaRXkBUZMX4jec+/u7sHX4ItWcI
        MD5:E2714D71D6DCA8722CCBC2EB084DAFD2
        SHA1:73B10EAE55074EF6CB8EFBDBBA451B54E3544AEA
        SHA-256:F00DA5A6E67E3AECCF0F80A8C11C18BF43552FC0FF6AF65B3DF2A5257357A21D
        SHA-512:C8D3F4F903BEA8002E700B2BC974E349B755DA95F803FEAD4565EDD21F5B168DE7977470066F497B3445494617F8401713C6D169D6B46F21DA517A49805D6A2E
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.4.0.6.5.2.2.0.8.3.0.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.4.0.6.5.2.9.5.8.3.0.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.9.8.3.1.f.5.-.a.1.e.d.-.4.2.1.6.-.b.9.8.6.-.7.3.3.6.c.7.0.e.b.9.f.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.3.8.8.8.d.3.-.4.9.3.9.-.4.c.5.7.-.a.a.4.f.-.6.f.0.3.9.6.e.3.f.6.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.4.-.0.0.0.1.-.0.0.1.7.-.1.8.a.2.-.5.d.6.c.e.c.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_692d4c8e33a25a7b2ade9d9882c855426fd2f6ba_82810a17_0d911579\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12294
        Entropy (8bit):3.7685429762791665
        Encrypted:false
        SSDEEP:192:EbSiJ0oXJKVHBUZMX4jed+h+/u7sHS274ItWcA:pinXgFBUZMX4jec+/u7sHX4ItWcA
        MD5:054AC5266528EDFAC39D109AB01E5E9F
        SHA1:0F5C9DB4374B023302C1E5053BE4A5955C940CDB
        SHA-256:621046744C822A4966A1ED5ED8351CDC35375329BE8BCA086CA7BB91E3AD7DE7
        SHA-512:8B9113A5F3A376A3394869DC385B0E127EE092EA6F5E7B1A405954A7C7210BEDB60AC928723BF067CF2F6261CBED0251991EFA2654B5A9B323BF1B5DA9A212A6
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.4.0.6.5.6.0.3.6.4.2.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.4.0.6.5.8.1.3.0.1.6.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.d.9.7.5.9.8.-.4.d.9.1.-.4.7.5.6.-.8.5.1.4.-.6.5.1.f.6.a.0.b.6.f.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.8.f.4.a.3.e.-.c.7.6.0.-.4.8.6.f.-.a.1.a.7.-.2.b.4.7.0.a.3.1.1.b.8.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.4.0.-.0.0.0.1.-.0.0.1.7.-.f.f.6.b.-.4.d.6.e.e.c.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_6995fa83d7b0318a43db0d33e1e8ff1c3499353_82810a17_18d1d4b3\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12320
        Entropy (8bit):3.768720719394826
        Encrypted:false
        SSDEEP:192:mvf0cFiV0oXtHBUZMX4jed+h+/u7ssS274ItWcM:Wfi7X9BUZMX4jec+/u7ssX4ItWcM
        MD5:088490B0E004EAA681E41123663AEA8B
        SHA1:87811A313B8F043B488DAAD633DE46F83D9F10C0
        SHA-256:DE86A9A13F287A733F04A6861000A9CE7D104FC43914967285819CFCBB4BBBF1
        SHA-512:3C856150E5C1FAF8294A7CE0D4414691A34FD7210FA4F8F285BAD6DF8CF60CDAA44BB50BB1C95A6F80894F79D2C7976EB1F3BE321D2D6A55FC3775A647A8CBFC
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.4.0.6.7.6.4.8.9.4.9.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.4.0.6.7.7.8.8.0.1.2.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.8.3.2.b.9.7.-.2.a.6.d.-.4.0.a.1.-.b.a.2.b.-.5.5.2.b.9.b.0.d.f.c.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.9.9.d.0.b.7.-.d.a.5.a.-.4.f.2.a.-.9.4.5.c.-.5.0.6.b.5.8.3.e.7.c.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.4.c.-.0.0.0.1.-.0.0.1.7.-.d.4.5.b.-.2.8.7.a.e.c.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e1c7dc65b4f8892833bb6a965bb21678f4e1a_82810a17_15e4f4b3\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12320
        Entropy (8bit):3.76863374951274
        Encrypted:false
        SSDEEP:192:OliK0oXxqHBUZMX4jed+h+/u7sHS274ItWc4:oicX0BUZMX4jes+/u7sHX4ItWc4
        MD5:FE4A03FCD8B5859A9DF5544296AC6014
        SHA1:0126539A895BED1A6B483CE58A9AD30E3BD70968
        SHA-256:451144CC6B63C47909D2742BD056695574C2AC899FEA1E37318D4F7DC845533D
        SHA-512:6199F8CFD1191E623117464FE02A92752BE5CBBDB4FF20E8596923733AC6D3160202736AFEA5D12FC44DC0475A21782A9E21E075E12CA54DAD6ABB737233BAD0
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.4.0.6.4.9.0.5.2.0.6.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.4.0.6.4.9.7.3.9.5.6.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.6.1.e.3.d.f.-.9.7.0.7.-.4.c.8.6.-.9.5.0.7.-.4.b.1.d.6.8.7.4.1.b.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.e.3.e.3.9.2.-.f.8.8.4.-.4.7.8.a.-.8.3.f.1.-.9.3.8.c.7.e.e.6.9.a.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.3.c.-.0.0.0.1.-.0.0.1.7.-.0.f.3.8.-.6.b.6.a.e.c.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_8e1c7dc65b4f8892833bb6a965bb21678f4e1a_82810a17_16d4e8ad\Report.wer
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):12314
        Entropy (8bit):3.7695893550245785
        Encrypted:false
        SSDEEP:192:qDGi20oX0qHBUZMX4jed+B+/u7sHS274ItWck:GGiwXRBUZMX4jeM+/u7sHX4ItWck
        MD5:0EE5A43B8A1EA3C7F44B770AD845375D
        SHA1:55BBF243D86AE27553B87811868496151B592D62
        SHA-256:2C47A4C5A50F2FDB29412A52A25132BBBDDC055162FFC1283E818BF39F12F57D
        SHA-512:54AF33487705E7E88B09449CA3122470FF72AACA3C975A023625078DA0B9A8067F11EDE6855FCA888AEF5C7CAF1359AB97A08EF94FA55545D283484B86D7A2DD
        Malicious:false
        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.7.4.0.6.4.5.8.1.7.7.0.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.7.4.0.6.4.6.6.6.1.4.4.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.f.1.a.0.8.8.-.9.e.5.0.-.4.7.1.2.-.b.0.7.3.-.a.4.3.f.3.c.f.b.6.4.d.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.9.9.f.8.7.5.-.9.5.3.4.-.4.0.0.6.-.a.f.8.d.-.d.b.8.8.c.3.3.c.2.9.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.1.8.-.0.0.0.1.-.0.0.1.7.-.f.e.2.4.-.7.b.6.8.e.c.2.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER106A.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8254
        Entropy (8bit):3.694052520088763
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiSY6H6YlH6ag5BgmfTk3SYaCpr989b8hsfsUm:RrlsNiN6H6Y16aIgmfTk3SY48afW
        MD5:2824E6215E50A019396614F4032D5B17
        SHA1:701A66B90FC0BDDDC45FE30C7F830714D9C4221B
        SHA-256:0DB773CB57811D90FD5F47501B44D9084DC692D9A9CE4E4FDCEC60508919C4A1
        SHA-512:FB9A549427E90351D3122D827FB1EF00A7147C46E639D445D596043928993B1A38C711392E61BACF6F315AC14AA7B09BCAF5FBA9FD643C88DF5D08CE2C96BD49
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.2.8.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1107.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4629
        Entropy (8bit):4.457468995670789
        Encrypted:false
        SSDEEP:48:cvIwSD8zsdiJgtWI9C8WSC8BRHL8fm8M4JCdswFmC+q8/5n4SrS5d:uITfip1SNMJfCUDW5d
        MD5:29C2797C5BA474C101A946E1AA47F4AA
        SHA1:570FA443DED89119AFC2D22F45294496ED66BC91
        SHA-256:3272A98333ACFFECFA08D650F065C2E2A6EB4F7B36980E483685A4DA519B1092
        SHA-512:46915D2F580C91F61936C2C34809644615BB9C8504D29D4438D6270073E1B387230BC6D2DEDDB658E9EDDB6B60F2221A872A9E3A97CE9F2A217EFEED849A1DDE
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943668" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER15C8.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 22:37:39 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):47560
        Entropy (8bit):2.0961769412214015
        Encrypted:false
        SSDEEP:192:xPaMVIAuBo1jsSqHhNjB49T0QAp2Q2iKQ2sjtpSwnLet:x0BovqBZG9hAplUsj9L+
        MD5:135EAA6FCF8D0245E54DFFD54941E8A9
        SHA1:2C7A40D97736AF36073837E50C5740F4803F342C
        SHA-256:D2D81873CEF781444295345AC822A4CE8D6D66DE7001E311245E1EAB613DCB7F
        SHA-512:F1789CECDEAA26BA3CBEE94C22BB7DC556F0F49F5E8702D05FBD984A8D913A10A5A83E21D83AAF5FC1039879CA3A18D7059E01003D4EFFEC153A6563BF04F268
        Malicious:false
        Preview: MDMP....... .........t`...................U...........B......<.......GenuineIntelW...........T.............t`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER177E.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8248
        Entropy (8bit):3.692388734375029
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNigU6+6Yl+6ag5BgmfTBSYaCprRN89bSqsfSGm:RrlsNij6+6YM6aIgmfTBSYrqSJfK
        MD5:A53532775D62C1F08A3F36A33AFCD25F
        SHA1:5A7C07B3E6EF00BF910D39B96E2E0658A1D5BEAB
        SHA-256:A94274271F6DADDED36573B06CA12EBB6BE990CDEEC115A1001D37358D036856
        SHA-512:85953B709212AEDA948E402B6DEE210886F8B2D98867C29CC817A229D6D15CA6274293ECC1E45B571AD010DC1698C1616BC3F6F714C051D2D0D1D95F7E26FB43
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.6.8.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER181B.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.456077970284452
        Encrypted:false
        SSDEEP:48:cvIwSD8zsdiJgtWI9C8WSC8BRz8fm8M4JCdsnFPw45+q8/pr4SrSMd:uITfip1SNUJDwO6DWMd
        MD5:12308FC7EB3A734D70CA6A5641E7F082
        SHA1:C04106D3B1820F890F09B4F51D6AE7DB9DFEA31E
        SHA-256:0F7F71176446D2798557FA2FDB0607A6F60972039C187A438EF112BA123B9477
        SHA-512:060277EF0015E160394AABE22DF3F3D5C9AB6F024B49CF0EDBA12DDC12E67F047EABE0C50F83B1188ECC98C0B2A416EB204F074F706FB4D134A8159AEEC95F4F
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943668" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5949.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 22:37:57 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):46156
        Entropy (8bit):2.115211313804719
        Encrypted:false
        SSDEEP:192://BbJDF9OI90nRthxcjB49T0QAeVBPIZzWnmfK:XpYRtjaG9hAePIZKaK
        MD5:8FA63BDDB9618163E58D6F89092D79EA
        SHA1:D4C8A273E1ECC9241367DC3926031970DD83DC26
        SHA-256:A3A39D4D1913826AFCB3D137110E5D595D957FD82471EC5E1EAEC48B62713951
        SHA-512:56C641CBD9E37E4C28CF74FF1386C52D2C6D0697C4E96C7F08DB86E034A6C06C287EBA72899651EBCCCF014790F61CBC53AA29A8C27D73557074C5D022C9DB26
        Malicious:false
        Preview: MDMP....... .........t`...................U...........B......<.......GenuineIntelW...........T.......L.....t`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D61.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8248
        Entropy (8bit):3.6926364982583566
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiLr6AdI6Yl66lmgmfTgSYaCpru89b6nsfb01em:RrlsNin6X6Yo6UgmfTgSYl6sfb6
        MD5:04C4F4F527742DD4B921AF2419D28D4C
        SHA1:3DD1C84D6B17F62D9656FF05E211FC2C4920520B
        SHA-256:11C61D43C2ACB27AAC2ED5E356C0A17B478E5BE8E674AC2C7908BABF8FDB8A06
        SHA-512:5D91DB67E16D7F9A4F90EE9894B4C7CE049DFED8269FA727A9B1EE54C2362049D249FBB6DEBA4963BFED98A76D02A92AF166DD6DF2F618020C381789DDEDA30E
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.2.0.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E2D.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.456868111783803
        Encrypted:false
        SSDEEP:48:cvIwSD8zsdiJgtWI9C8WSC8BR78fm8M4JCds8F3C+q8/pT4SrSod:uITfip1SNkJ0CKDWod
        MD5:1ABBFB49D46E7F7CD2A5D43D75B1A4FE
        SHA1:CDE14F5EB5309A9515DAB274294C73E6D99BF8FC
        SHA-256:C30CE647DF6730687F14B9225FD23A7F28EE01B0C1EBD6A187A6D557F068FF8F
        SHA-512:D2D94BCAD9F234263DBCA97DFB9D3FFC43A935A1232054420D3515AF71F02B3645765C454BDF98667DDBD8EEC422B70130EE786EC6F285AD8DEB41EB62CA2282
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943668" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WER964.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 22:37:37 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):52204
        Entropy (8bit):2.0760074592212834
        Encrypted:false
        SSDEEP:192:98DXGBlnAti/tQAGhbLPzxotXtj+em14bgm8lgnTi:RlAgQAGFHmHj+EbT2
        MD5:077C4C61C47DA8414160687840B322A0
        SHA1:15A821EEBA4BD32ADE6BA6C4A0B5C6F7700757D1
        SHA-256:4131A17D0F987BF6A5DEA1BD9A3BA484FDFA5F1396E16A9DB1A9E7B7E1004377
        SHA-512:D08530924F60D4878E8EB7165CBFB7A632740F5ED58427B7D947E59823273BFE8FBC209100F9C881E732A6C9DC918574C91459D4CA8E310550D523AC164C9908
        Malicious:false
        Preview: MDMP....... .........t`...................U...........B......l.......GenuineIntelW...........T.......@.....t`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD60F.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 22:37:23 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):47824
        Entropy (8bit):2.031695947274906
        Encrypted:false
        SSDEEP:192:L6z3ouCvUvp/BA5RnTsvajB49T0QAA+ro62Q6USLXNb:c36Mvp/I1TnG9hAAVQ6tz9
        MD5:8DF414F6FCF7C22D51C373A18FEC34CE
        SHA1:3A07F9B392B1D45BEB9275F9D8C2643068E4E676
        SHA-256:30B83FB043EC6DDADEADE22A87A24C192AF73C44E2299CC88E317E342A9AB89A
        SHA-512:8F2744D410202D2650E84BF00BF272226B5E1033F86AD3BDA748035CC70FE80D9B03B205AA96C1B7281926E802E9892FC39D5F3E762EFBEC269585FE53E10E70
        Malicious:false
        Preview: MDMP....... .........t`...................U...........B......<.......GenuineIntelW...........T.............t`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD63E.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 22:37:23 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):51912
        Entropy (8bit):2.026857221534779
        Encrypted:false
        SSDEEP:192:ACqZVKWjauYv+XPzxotXtjzsNZGnuYseWnjoA:uZVpauO+7mHjz+GnuREA
        MD5:81A185BA6265E2D57556D14DE9AB9551
        SHA1:557EBAED35228613069794AE01A45F3A70F8FBDA
        SHA-256:4762A16C1AF657610030E11EDED1B8B82CAF6D77870C03C00C342D76D2AEFDE6
        SHA-512:C6AC056E515AD64E5A99108EE6457876AFF97204060797F5E91F1AF2FB4C7AE00B2C556F7597454D34A13F766223D2023070ADDC98B0E04B3A4E491EAA666F11
        Malicious:false
        Preview: MDMP....... .........t`...................U...........B......l.......GenuineIntelW...........T.............t`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD833.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8238
        Entropy (8bit):3.6886133556067975
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiXO6Fh6Ylg6625BgmfT5SYaCprF89b5nasfETm:RrlsNi+6T6Yi67gmfT5SYg5n5ft
        MD5:5AD4332490E4D6A684E2F4D70A9CC8D8
        SHA1:030E8E9CB7B186BDBC1F6E25FF7B72C9CB546DF5
        SHA-256:E6208855953B8C2D4C85916F927D598ED8FA8B426E3F89ACF83FB42A29BF09B5
        SHA-512:827B0AB0447DC7F213E8F11C6B8F43AA7C1F118BBCA1270710718B4C5827FE3B2444C3F9270BA00D8575BD6296B003818016B05A79CD3D3031CCF89210357451
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.0.<./.P.i.d.>.........
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8A1.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8236
        Entropy (8bit):3.690729134128786
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiMR6T6YHf6DgmfT5SYaCprR389b5nosfwTm:RrlsNiq6T6Y/6DgmfT5SYro5nbfJ
        MD5:43A9442D48A90C9653155C8255A8FA38
        SHA1:0D2D51BCC8B56A57B6A54F90DFBAED1FD5912E22
        SHA-256:887E8C455527B7F174B43D446C1C89E761A00A75132C652C2EA3D5E5F4451CE0
        SHA-512:C2F5A29AAFEDEFD38296F8C7DC6C1882E67C017DCC4333AA4D986748BC574526ECAE4BF4F666A681C4D10820C68194553C5F4B35A1826F5B5C8065066222DDF8
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.9.0.8.<./.P.i.d.>.........
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8A1.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.454715130110772
        Encrypted:false
        SSDEEP:48:cvIwSD8zsdiJgtWI9C8WSC8BRa8fm8M4JCdsHFg+q8/pe4SrSjd:uITfip1SNDJUDDWjd
        MD5:F9F18283F0F0871DE351918D1D423B38
        SHA1:B53E18FEC130A5FAFDDEF8658153A9D334F5DFC7
        SHA-256:A8460D83BF8A2EABEF318715D959C1DAC0DDB72A8D3B1562E479999B67EC6AC0
        SHA-512:95324641A33B92A4A101DD1710B0B13B91AFFD25815522099B12A95578C298BDFBD4BECF7DC7AF6F0F82F444C868344C0968A4ECA09FC3BA69D779729ED0E034
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943668" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD92F.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.457204122894694
        Encrypted:false
        SSDEEP:48:cvIwSD8zsdiJgtWI9C8WSC8BR18fm8M4JCdsHFV+q8/pn4SrSYd:uITfip1SNmJh6DWYd
        MD5:F749AB0BAB15344712559D3E40E27C4C
        SHA1:1AB1F7687073462002BE4F842B846E57D0E76526
        SHA-256:4A91B9A9D85498492017A9789F853655BC99996B1E5DDDE16C814757296B7AEB
        SHA-512:80CE493FB24310BC9205F23D3CFC3217F87569B3D5763E316BBB3FD9049DBAB856683F91AF2F0BD50AC9629279AEF1699634D8709315668ACD29268C537DFDE0
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943668" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE179.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 22:37:26 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):48412
        Entropy (8bit):2.4236105120867473
        Encrypted:false
        SSDEEP:192:9Puon2vsesUbP5ugjmY/ZzjB49T0QAE+r+GoBkn2sAo:p7VuPIImY/pG9hAEQoCrV
        MD5:897C1EB44B0EFC32C65E0C6AD76BCC2B
        SHA1:265AE04C276679CEB837D27EF8774F5564F2EA3D
        SHA-256:9C2E4AEA995E32B7A7A894180FC737492BDADE7DA715BBC3A6227ED13A7CE53A
        SHA-512:EE0FC70892A99695B6B74F72506F67FB85866D80735916B4001FD46EC1F07CEDBBDCEEDFE9AC0FD669123C1BCE29941A0D4A8A1B3193DAFF30F81F8EFBA49FE6
        Malicious:false
        Preview: MDMP....... .........t`...................U...........B......<.......GenuineIntelW...........T.............t`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE36E.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8256
        Entropy (8bit):3.692219645923817
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiS+6S6YlD6i5BgmfT9SYaCprI89bUOsfvxcm:RrlsNiL6S6Yh6KgmfT9SYHUNfv/
        MD5:1A62481E32DF7C5A5D8D395E66352573
        SHA1:CC1C66F8972C189F39BA972008386E3ABACFEC87
        SHA-256:1BA3748C8C0C092EA96AA0B3EE8214D418DDA7127AE9BCA974BA18C3D7E5BBE4
        SHA-512:0A053BE53F67F479F648ECCCE0970D89FE766099E09C6F0829D27BE7102B63FEB30FCD568CE21A5821EBDF5CAF3BCC604D6B8FD41F37BA180B53E469FD7DCAE4
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.2.0.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE42A.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.4587604010172806
        Encrypted:false
        SSDEEP:48:cvIwSD8zsdiJgtWI9C8WSC8BRlM8fm8M4JCdszFXWP+q8/pNb4SrSOd:uITfip1SNpxJHWP4DWOd
        MD5:5B338868161B2751E14C6F2158DE8A93
        SHA1:F8370DDF34C20C3033F9ADA0D66956C40D561917
        SHA-256:91C243B18CACF7CFD449894D4277AB4ED6BE2B7D9E0E2257284438CD74BEB7C2
        SHA-512:34DA1375647EF86737186BED4103A9541CBCC429821CA522FB53B78C15B6A3E2E66892A78F9F8A50EBBF2DA64B8CA44E6C2D29D61E3529C777C818BAB7D5EDCC
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943668" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE1B.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 22:37:29 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):49456
        Entropy (8bit):2.324936217516685
        Encrypted:false
        SSDEEP:192:2DERcEoz2XzRJ6ErhCdgcKdpE+NlrjB49T0QADPWjsGt+rE0Xn8:LRhzRJHc7gpE+vXG9hADPWz+78
        MD5:B117A59DB3F5FFCFC16D855D6D25B665
        SHA1:802E437B2D0F5F14D5D295C9F5DC69C68BF6A0DA
        SHA-256:EE3C6E83309796BDC6E0E73AAFA34A576AE62AE0FD96C711022041A328B03758
        SHA-512:9BAE73528023D3BC1B06B38BCB6CE6A244AE742B30CBB2B64E072B1405DC52914306F8C40A1ADAF81BF1CF63498A20947194A0CC7DB092D12AA10568AA7372FB
        Malicious:false
        Preview: MDMP....... .........t`...................U...........B......<.......GenuineIntelW...........T.......<.....t`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFD2.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8248
        Entropy (8bit):3.692832842021345
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNiZY6e1S6YlL685BgmfT9SYaCprRN89bjasfDhm:RrlsNi26e1S6Yp6EgmfT9SYrqj5f4
        MD5:0011F324F914930CE390B49420411144
        SHA1:758D23B80151DE2FD9F3C2D23B173FDE8FF7DD64
        SHA-256:C7B313F5C94AB2774F40EC901763EA4C4DDE5ED1ABFFA578BCC86B0CCB26AB05
        SHA-512:57F11D3F964B4FF59C22381F47B4A980FD29259783B6B4D9D0DAD4395086890C66332C773AF6036A72D316BD6C4D1DBD09ECBE74FF8471793BFBEF05298DCD83
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.3.6.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERF06F.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.45638562939769
        Encrypted:false
        SSDEEP:48:cvIwSD8zsdiJgtWI9C8WSC8BRf8fm8M4JCdszFUC+q8/p94SrSBd:uITfip1SNgJkCUDWBd
        MD5:C47970AC16B5DC011F3759220E165DED
        SHA1:0EFEEDD1281456C765351929629AB335C5099D83
        SHA-256:2C12085780753121E5305963D8A157CC4C76E6820D49B50B78F228E531B15FB7
        SHA-512:6100FB43AB7758515EDFBB92F5C52581A4795C3FAFD34EFF7BC8309B0B817050AC81EB7D4A9005B3F962A5188BB28F952D713ADAC13F3BEEF5A9F3B492E50E69
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943668" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA70.tmp.dmp
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:Mini DuMP crash report, 14 streams, Mon Apr 12 22:37:32 2021, 0x1205a4 type
        Category:dropped
        Size (bytes):49468
        Entropy (8bit):2.32448379060306
        Encrypted:false
        SSDEEP:192:EIPKJMEJtDfQbY7MPErHXJJ+5qYygXhTkJxnf4LjB49T0QABhNzWDShVRfnKA7:NKBJtod8LXJJgNXhTy6G9hABhNKWhbP7
        MD5:859038BA02D9EB3D82EB95D1BE73CB2D
        SHA1:4E2A21E1C37F30A72F4E9B576D177F1A8E357DA9
        SHA-256:3DBB2C3299FCB4C2EBCDAADF0A3B8BBB38D42C2277C5254B5379C56C2B3968BF
        SHA-512:8957FAA8FDF20D4D0067C7141C0628D533F4187F5A4E8DD5E34FD26C2BB92659B205E022C7C2FBEB1BE18001814CAB43E54B14430F050A67F03686724C67233F
        Malicious:false
        Preview: MDMP....... .........t`...................U...........B......<.......GenuineIntelW...........T.......d.....t`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC65.tmp.WERInternalMetadata.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
        Category:dropped
        Size (bytes):8244
        Entropy (8bit):3.691837329981628
        Encrypted:false
        SSDEEP:192:Rrl7r3GLNipHJ676YlN6S5BgmfT2SYaCprC89bh+sfrLm:RrlsNipp676Yf66gmfT2SYJh9fm
        MD5:303909D69682068BF5E8E4FC53E5CBC0
        SHA1:500FBE3BE6BB4DE5DADD026BE9015881A8535FA0
        SHA-256:69A9250299F214507011B1067447CEB2FD1B1D445191090BCBF2964C2101B665
        SHA-512:4BC0377F2988742D301457C221D6A831C1D20D931DE66C26DA0F4C501D9D45781417B68B6BE473DE5B3F069C3BD65E398D9AB0DAB3FE9B4ECF5F01F3F1EB32DD
        Malicious:false
        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.8.8.<./.P.i.d.>.......
        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD02.tmp.xml
        Process:C:\Windows\SysWOW64\WerFault.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):4623
        Entropy (8bit):4.455031873638163
        Encrypted:false
        SSDEEP:48:cvIwSD8zsdiJgtWI9C8WSC8BRpq8fm8M4JCdsiFqL+q8/pg4SrSFd:uITfip1SNlfJD5DWFd
        MD5:ED34800C5DB1A915DD8A0F80CD306374
        SHA1:4D54CE8D339E40D3FC191BFEC8E1D07FDE60A401
        SHA-256:7E3C158DC7A9FE153DE41BDE609D46DCBF6AC1ABB1518997CDCA13E3CDC911F8
        SHA-512:AC0FCA0C98C8D83E183634692183BF765601FBDE1A9AD99AE9623C3640D1A2ECBF1DE6DA2FF290E4FFDD6D2F894E2A6995DB8B48DC28427F615FFE29A8FC3E3E
        Malicious:false
        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="943668" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

        Static File Info

        General

        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Entropy (8bit):6.246113418766052
        TrID:
        • Win32 Dynamic Link Library (generic) (1002004/3) 98.32%
        • Windows Screen Saver (13104/52) 1.29%
        • Generic Win/DOS Executable (2004/3) 0.20%
        • DOS Executable Generic (2002/1) 0.20%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:utility.dll
        File size:194296
        MD5:c84fd1069470c4f7cbcd9fa10fc32615
        SHA1:94ca6af9cae336754da47e2b8694a1f33db78e89
        SHA256:59d2ed9608ac543bd671da7b17558ebce275f64dd80fc84abd10fd31dea49c5e
        SHA512:f37f6eaf9f234fbe93619c72e7e012fb37b6b5779ff80c244fc19bd3bb628b0193d275c3e7f21d168fcb0f994a49c61169b11fde30819543092d09b41283903d
        SSDEEP:3072:+KEDvFkRNFycul5xjfMEOlL9M0Uiu+SeiMEvqrWB37d7YM1t7OrGsLZQm:2vF1fIL9M0UiuheZEyrWBrhYMzOrGOT
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.@A_i.A_i.A_i..}b.C_i.:Ce.@_i..Cg.W_i..@c.4_i..@b.K_i.A_i.K_i.A_h.._i..P4.P_i.G|c.C_i.G|b.Z_i...m.@_i.RichA_i................

        File Icon

        Icon Hash:74f0e4ecccdce0e4

        Static PE Info

        General

        Entrypoint:0x1001782f
        Entrypoint Section:.text
        Digitally signed:true
        Imagebase:0x10000000
        Subsystem:windows gui
        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
        DLL Characteristics:
        Time Stamp:0x55C07E95 [Tue Aug 4 08:57:57 2015 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:f57837ddefd6a23c92486b80aca0917a

        Authenticode Signature

        Signature Valid:true
        Signature Issuer:CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
        Signature Validation Error:The operation completed successfully
        Error Number:0
        Not Before, Not After
        • 5/3/2015 5:00:00 PM 5/7/2016 4:59:59 PM
        Subject Chain
        • CN=Northcode Inc., OU=SECURE APPLICATION DEVELOPMENT, O=Northcode Inc., L=Ottawa, S=Ontario, C=CA
        Version:3
        Thumbprint MD5:C53B59F35C5767ABA434E5064C15AB35
        Thumbprint SHA-1:AB6E9D1997F370BB16124928C4817BBC196BE3FA
        Thumbprint SHA-256:653E2B5E0DC1BBD9E0696457D74C4CADF306AEB7BC8AE16B0CD9A15E9700605A
        Serial:7EFA7BCE3063E7499CE40F37454B10A6

        Entrypoint Preview

        Instruction
        push ebp
        mov ebp, esp
        push ebx
        mov ebx, dword ptr [ebp+08h]
        push esi
        mov esi, dword ptr [ebp+0Ch]
        push edi
        mov edi, dword ptr [ebp+10h]
        test esi, esi
        jne 00007F2DC8E46DEBh
        cmp dword ptr [1002ED14h], 00000000h
        jmp 00007F2DC8E46E08h
        cmp esi, 01h
        je 00007F2DC8E46DE7h
        cmp esi, 02h
        jne 00007F2DC8E46E04h
        mov eax, dword ptr [1002F444h]
        test eax, eax
        je 00007F2DC8E46DEBh
        push edi
        push esi
        push ebx
        call eax
        test eax, eax
        je 00007F2DC8E46DEEh
        push edi
        push esi
        push ebx
        call 00007F2DC8E46CCCh
        test eax, eax
        jne 00007F2DC8E46DE6h
        xor eax, eax
        jmp 00007F2DC8E46E30h
        push edi
        push esi
        push ebx
        call 00007F2DC8E324C6h
        cmp esi, 01h
        mov dword ptr [ebp+0Ch], eax
        jne 00007F2DC8E46DEEh
        test eax, eax
        jne 00007F2DC8E46E19h
        push edi
        push eax
        push ebx
        call 00007F2DC8E46CA8h
        test esi, esi
        je 00007F2DC8E46DE7h
        cmp esi, 03h
        jne 00007F2DC8E46E08h
        push edi
        push esi
        push ebx
        call 00007F2DC8E46C97h
        test eax, eax
        jne 00007F2DC8E46DE5h
        and dword ptr [ebp+0Ch], eax
        cmp dword ptr [ebp+0Ch], 00000000h
        je 00007F2DC8E46DF3h
        mov eax, dword ptr [1002F444h]
        test eax, eax
        je 00007F2DC8E46DEAh
        push edi
        push esi
        push ebx
        call eax
        mov dword ptr [ebp+0Ch], eax
        mov eax, dword ptr [ebp+0Ch]
        pop edi
        pop esi
        pop ebx
        pop ebp
        retn 000Ch
        mov eax, dword ptr [1002ED20h]
        cmp eax, 01h
        je 00007F2DC8E46DEFh
        test eax, eax
        jne 00007F2DC8E46DF0h
        cmp dword ptr [1002ED24h], 01h
        jne 00007F2DC8E46DE7h
        call 00007F2DC8E4B222h
        push dword ptr [esp+04h]
        call 00007F2DC8E4B252h
        push 000000FFh

        Rich Headers

        Programming Language:
        • [LNK] VC++ 6.0 SP5 build 8804

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x240200xa3c.rdata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x231d80xb4.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x2e0000x16f8.data
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x310000x16dc.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x200000x2d0.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x1efe90x1f000False0.54097624748data6.67713038792IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rdata0x200000x4a5c0x5000False0.51171875data5.97801634413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x250000xb4640x6000False0.198323567708data2.64122400209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .reloc0x310000x20ea0x3000False0.399332682292data4.07308642566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Imports

        DLLImport
        USER32.dllLoadCursorA, GetCursor, LoadImageA, UnregisterClassA, CreateWindowExA, RegisterClassA, DestroyWindow, DispatchMessageA, GetMessageA, PostMessageA, DefWindowProcA, GetWindowDC, OffsetRect, UnionRect, IntersectRect, ValidateRect, RedrawWindow, InvalidateRect, GetWindowLongA, SetWindowLongA, SetWindowRgn, GetDC, ReleaseDC, GetWindowRect, GetClientRect, ClientToScreen, SetRect, MessageBoxA, wsprintfA
        KERNEL32.dllCloseHandle, ReadFile, WriteFile, CreateFileA, GetFullPathNameA, DeleteFileA, LocalFree, LocalAlloc, GetFileSize, SetFilePointer, SetThreadPriority, GetThreadPriority, QueryPerformanceCounter, QueryPerformanceFrequency, GetCurrentThread, FreeLibrary, GetProcAddress, LoadLibraryA, GetLastError, SetFileAttributesA, GetFileAttributesA, lstrcpynA, lstrlenA, lstrcpyA, SystemTimeToFileTime, GetSystemTime, CompareFileTime, WideCharToMultiByte, MultiByteToWideChar, CreateThread, GetStringTypeW, GetTickCount, SetSystemTime, FileTimeToSystemTime, HeapFree, HeapAlloc, GetProcessHeap, GetVersion, GetStartupInfoA, GetCurrentProcess, GetModuleHandleA, SetLastError, GetVersionExA, CreateProcessA, GetStringTypeA, LCMapStringW, LCMapStringA, HeapSize, TerminateProcess, TlsGetValue, TlsFree, TlsAlloc, TlsSetValue, GetCurrentThreadId, ExitProcess, DeleteCriticalSection, InitializeCriticalSection, SetHandleCount, GetStdHandle, GetFileType, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetUnhandledExceptionFilter, IsBadReadPtr, RaiseException, IsBadCodePtr, GetCPInfo, FlushFileBuffers, SetStdHandle, GetACP, GetOEMCP, CompareStringA, CompareStringW, SetEnvironmentVariableA, ExitThread, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetModuleFileNameA, GetCommandLineA, LeaveCriticalSection, EnterCriticalSection, GetLocalTime, RtlUnwind, HeapReAlloc, InterlockedDecrement, InterlockedIncrement, GetTimeZoneInformation
        WSOCK32.dllWSACleanup, listen, bind, htons, closesocket, WSAAsyncSelect, socket, WSAGetLastError, accept, recv, send, connect, gethostbyname, WSAStartup
        GDI32.dllGetObjectA, GetDIBits, OffsetRgn, BitBlt, DeleteDC, CreateCompatibleDC, SelectObject, ExtCreateRegion, CreateDIBSection, GetRegionData, CreateRectRgn, CombineRgn, DeleteObject, GetDeviceCaps
        ADVAPI32.dllRegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, IsValidSid, EqualSid, GetSidSubAuthorityCount, GetSidLengthRequired, GetSidIdentifierAuthority, InitializeSid, GetSidSubAuthority, GetTokenInformation
        ole32.dllStgIsStorageFile, StgOpenStorage
        OLEAUT32.dllSysAllocString, SysStringByteLen, SysAllocStringByteLen, SysAllocStringLen, GetErrorInfo
        NETAPI32.dllNetUserModalsGet, NetApiBufferFree

        Exports

        NameOrdinalAddress
        CPUSpeed10x100019d0
        Decrypt30x10001f10
        Decrypt2BinStr20x10001ff0
        DecryptEx40x10001eb0
        Deflate50x100013b0
        DeflateToMemory60x100018a0
        DirectDrawEnumDisplayModes70x100026b0
        DirectDrawIsSupported80x10002560
        DirectDrawRestoreDisplayMode90x10002650
        DirectDrawSetDisplayMode100x100025c0
        DirectoryAdd110x10002870
        DirectoryClear120x10002830
        DirectoryDump130x10002820
        DirectoryLoadFile150x10002a70
        DirectoryLoadFile2140x10002b80
        DirectoryReadFileChunk160x10002de0
        DirectorySaveFile170x10002e40
        Encrypt180x10001d30
        EncryptEx190x10001e50
        FLAGetVersion200x10003310
        FLAOpenFile210x10002f80
        FileDecrypt220x10002290
        FileEncrypt230x10002170
        Hash240x10001c00
        Inflate250x100013d0
        InflateHeader260x10001460
        InflateHeaderFromBuffer270x10001640
        InflateToMemory280x10001780
        IsCursorARROW290x100023e0
        IsCursorIBEAM300x100023f0
        NetworkListMACs310x100066d0
        PluginDispatch320x100036b0
        PluginDispatchEx330x100036e0
        PluginDispatchSync340x10003710
        PluginDispatchSyncEx350x10003750
        PluginGet360x100035a0
        PluginOnLoad370x10003650
        PluginOnUnload380x10003680
        PluginSet390x100035e0
        PluginSetEx400x10003610
        RegionSave410x10003cd0
        RegionScan420x100037b0
        RegionScanEx430x10003ac0
        SecurityAddDays440x100047c0
        SecurityDelete450x10004430
        SecurityGetExpiryDate460x100041b0
        SecurityGetExpiryFlag470x10004170
        SecurityGetTimeNow480x10004270
        SecurityGetUserData490x10004210
        SecurityIsExpired500x10004290
        SecurityIsFirstRun510x10004150
        SecurityLoad520x10003e90
        SecurityReset530x100046a0
        SecuritySave540x10004340
        SecuritySetExpiryDate550x100041e0
        SecuritySetExpiryFlag560x10004190
        SecuritySetUserData570x10004240
        SecurityWipeMemory580x10004470
        ServerGetPort730x10004d60
        ServerGetWindow740x10004d50
        ServerIsListening750x10004d70
        ServerListen760x10004a80
        ServerListenOnPort770x10004b60
        ServerSetVirtualRoot780x10004d80
        ServerStart790x10004990
        ServerStop800x10004cd0
        SysInfoGetAdaptersInfo590x10006db0
        Test600x10007220
        TimeGetFileTime610x10006b40
        TimeSync620x10006cc0
        ToolsChangeWindowMessageFilter630x10007920
        ToolsGetDefaultPrinter640x100077f0
        ToolsGetProcessMemoryInfo650x100076f0
        ToolsGetStartupWindowState660x100072b0
        ToolsIsUserAnAdmin670x100073e0
        ToolsLockWorkStation680x10007240
        ToolsReleaseMemory690x10007660
        ToolsSetDefaultPrinter700x100078c0
        ToolsValidateUserCredentials710x100077d0
        TransparentAttachChild810x10007db0
        TransparentBegin820x10007c50
        TransparentBringToFront830x10007e10
        TransparentDetachChild840x10007dd0
        TransparentEnable850x10007c80
        TransparentEnd860x10007e30
        TransparentForceMaskedMode870x10007ca0
        TransparentFreeze880x10007d40
        TransparentIsMaskedMode890x10007cc0
        TransparentSetBackgroundColor900x10007d20
        TransparentSetChildPos910x10007df0
        TransparentSetColorDepth920x10007d00
        TransparentSetQuality930x10007ce0
        TransparentWMPaint940x10007d60
        UtilityIsLoaded720x10002f70

        Network Behavior

        Network Port Distribution

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Apr 12, 2021 15:37:23.776918888 CEST5836153192.168.2.38.8.8.8
        Apr 12, 2021 15:37:23.825750113 CEST53583618.8.8.8192.168.2.3
        Apr 12, 2021 15:37:24.070734024 CEST6349253192.168.2.38.8.8.8
        Apr 12, 2021 15:37:24.119632006 CEST53634928.8.8.8192.168.2.3
        Apr 12, 2021 15:37:26.444294930 CEST6083153192.168.2.38.8.8.8
        Apr 12, 2021 15:37:26.503865004 CEST53608318.8.8.8192.168.2.3
        Apr 12, 2021 15:37:29.556344986 CEST6010053192.168.2.38.8.8.8
        Apr 12, 2021 15:37:29.609024048 CEST53601008.8.8.8192.168.2.3
        Apr 12, 2021 15:37:32.758222103 CEST5319553192.168.2.38.8.8.8
        Apr 12, 2021 15:37:32.807192087 CEST53531958.8.8.8192.168.2.3
        Apr 12, 2021 15:37:35.368165016 CEST5014153192.168.2.38.8.8.8
        Apr 12, 2021 15:37:35.440346003 CEST53501418.8.8.8192.168.2.3
        Apr 12, 2021 15:37:36.116631031 CEST5302353192.168.2.38.8.8.8
        Apr 12, 2021 15:37:36.174431086 CEST53530238.8.8.8192.168.2.3
        Apr 12, 2021 15:37:37.256149054 CEST4956353192.168.2.38.8.8.8
        Apr 12, 2021 15:37:37.308007956 CEST53495638.8.8.8192.168.2.3
        Apr 12, 2021 15:37:37.837579966 CEST5135253192.168.2.38.8.8.8
        Apr 12, 2021 15:37:37.897800922 CEST53513528.8.8.8192.168.2.3
        Apr 12, 2021 15:37:37.926729918 CEST5934953192.168.2.38.8.8.8
        Apr 12, 2021 15:37:37.975469112 CEST53593498.8.8.8192.168.2.3
        Apr 12, 2021 15:37:38.354058981 CEST5708453192.168.2.38.8.8.8
        Apr 12, 2021 15:37:38.402890921 CEST53570848.8.8.8192.168.2.3
        Apr 12, 2021 15:37:39.676330090 CEST5882353192.168.2.38.8.8.8
        Apr 12, 2021 15:37:39.725358963 CEST53588238.8.8.8192.168.2.3
        Apr 12, 2021 15:37:40.847671032 CEST5756853192.168.2.38.8.8.8
        Apr 12, 2021 15:37:40.896512032 CEST53575688.8.8.8192.168.2.3
        Apr 12, 2021 15:37:45.495614052 CEST5054053192.168.2.38.8.8.8
        Apr 12, 2021 15:37:45.545123100 CEST53505408.8.8.8192.168.2.3
        Apr 12, 2021 15:37:46.699636936 CEST5436653192.168.2.38.8.8.8
        Apr 12, 2021 15:37:46.748308897 CEST53543668.8.8.8192.168.2.3
        Apr 12, 2021 15:37:47.149960995 CEST5303453192.168.2.38.8.8.8
        Apr 12, 2021 15:37:47.225677967 CEST53530348.8.8.8192.168.2.3
        Apr 12, 2021 15:37:48.022911072 CEST5776253192.168.2.38.8.8.8
        Apr 12, 2021 15:37:48.074620008 CEST53577628.8.8.8192.168.2.3
        Apr 12, 2021 15:37:49.700583935 CEST5543553192.168.2.38.8.8.8
        Apr 12, 2021 15:37:49.749530077 CEST53554358.8.8.8192.168.2.3
        Apr 12, 2021 15:37:50.856734991 CEST5071353192.168.2.38.8.8.8
        Apr 12, 2021 15:37:50.905729055 CEST53507138.8.8.8192.168.2.3
        Apr 12, 2021 15:37:52.339027882 CEST5613253192.168.2.38.8.8.8
        Apr 12, 2021 15:37:52.390705109 CEST53561328.8.8.8192.168.2.3
        Apr 12, 2021 15:37:53.093946934 CEST5898753192.168.2.38.8.8.8
        Apr 12, 2021 15:37:53.152700901 CEST53589878.8.8.8192.168.2.3
        Apr 12, 2021 15:37:57.678445101 CEST5657953192.168.2.38.8.8.8
        Apr 12, 2021 15:37:57.727410078 CEST53565798.8.8.8192.168.2.3
        Apr 12, 2021 15:37:58.847767115 CEST6063353192.168.2.38.8.8.8
        Apr 12, 2021 15:37:58.904966116 CEST53606338.8.8.8192.168.2.3
        Apr 12, 2021 15:38:00.414699078 CEST6129253192.168.2.38.8.8.8
        Apr 12, 2021 15:38:00.466526031 CEST53612928.8.8.8192.168.2.3
        Apr 12, 2021 15:38:01.019088030 CEST6361953192.168.2.38.8.8.8
        Apr 12, 2021 15:38:01.077980042 CEST53636198.8.8.8192.168.2.3
        Apr 12, 2021 15:38:01.310767889 CEST6493853192.168.2.38.8.8.8
        Apr 12, 2021 15:38:01.362205982 CEST53649388.8.8.8192.168.2.3
        Apr 12, 2021 15:38:02.305921078 CEST6194653192.168.2.38.8.8.8
        Apr 12, 2021 15:38:02.355874062 CEST53619468.8.8.8192.168.2.3
        Apr 12, 2021 15:38:04.202950954 CEST6491053192.168.2.38.8.8.8
        Apr 12, 2021 15:38:04.251912117 CEST53649108.8.8.8192.168.2.3
        Apr 12, 2021 15:38:04.353370905 CEST5212353192.168.2.38.8.8.8
        Apr 12, 2021 15:38:04.365056038 CEST5613053192.168.2.38.8.8.8
        Apr 12, 2021 15:38:04.415431976 CEST53561308.8.8.8192.168.2.3
        Apr 12, 2021 15:38:04.419857025 CEST53521238.8.8.8192.168.2.3
        Apr 12, 2021 15:38:04.667881966 CEST5633853192.168.2.38.8.8.8
        Apr 12, 2021 15:38:04.728338957 CEST53563388.8.8.8192.168.2.3
        Apr 12, 2021 15:38:05.506933928 CEST5942053192.168.2.38.8.8.8
        Apr 12, 2021 15:38:05.555906057 CEST53594208.8.8.8192.168.2.3
        Apr 12, 2021 15:38:07.002561092 CEST5878453192.168.2.38.8.8.8
        Apr 12, 2021 15:38:07.060362101 CEST53587848.8.8.8192.168.2.3
        Apr 12, 2021 15:38:07.235048056 CEST6397853192.168.2.38.8.8.8
        Apr 12, 2021 15:38:07.283976078 CEST53639788.8.8.8192.168.2.3
        Apr 12, 2021 15:38:07.901146889 CEST6293853192.168.2.38.8.8.8
        Apr 12, 2021 15:38:07.959809065 CEST53629388.8.8.8192.168.2.3
        Apr 12, 2021 15:38:10.202023983 CEST5570853192.168.2.38.8.8.8
        Apr 12, 2021 15:38:10.250639915 CEST53557088.8.8.8192.168.2.3
        Apr 12, 2021 15:38:11.025602102 CEST5680353192.168.2.38.8.8.8
        Apr 12, 2021 15:38:11.074461937 CEST53568038.8.8.8192.168.2.3
        Apr 12, 2021 15:38:13.193722963 CEST5714553192.168.2.38.8.8.8
        Apr 12, 2021 15:38:13.245479107 CEST53571458.8.8.8192.168.2.3
        Apr 12, 2021 15:38:13.395973921 CEST5535953192.168.2.38.8.8.8
        Apr 12, 2021 15:38:13.444628954 CEST53553598.8.8.8192.168.2.3
        Apr 12, 2021 15:38:14.225234032 CEST5830653192.168.2.38.8.8.8
        Apr 12, 2021 15:38:14.299627066 CEST53583068.8.8.8192.168.2.3
        Apr 12, 2021 15:38:14.556699991 CEST6412453192.168.2.38.8.8.8
        Apr 12, 2021 15:38:14.605465889 CEST53641248.8.8.8192.168.2.3
        Apr 12, 2021 15:38:15.448067904 CEST4936153192.168.2.38.8.8.8
        Apr 12, 2021 15:38:15.501127005 CEST53493618.8.8.8192.168.2.3
        Apr 12, 2021 15:38:16.365973949 CEST6315053192.168.2.38.8.8.8
        Apr 12, 2021 15:38:16.414992094 CEST53631508.8.8.8192.168.2.3
        Apr 12, 2021 15:38:22.344455004 CEST5327953192.168.2.38.8.8.8
        Apr 12, 2021 15:38:22.396333933 CEST53532798.8.8.8192.168.2.3
        Apr 12, 2021 15:38:22.420856953 CEST5688153192.168.2.38.8.8.8
        Apr 12, 2021 15:38:22.469569921 CEST53568818.8.8.8192.168.2.3
        Apr 12, 2021 15:38:23.232795000 CEST5364253192.168.2.38.8.8.8
        Apr 12, 2021 15:38:23.294663906 CEST53536428.8.8.8192.168.2.3
        Apr 12, 2021 15:38:25.565232992 CEST5566753192.168.2.38.8.8.8
        Apr 12, 2021 15:38:25.622898102 CEST53556678.8.8.8192.168.2.3
        Apr 12, 2021 15:38:45.531151056 CEST5483353192.168.2.38.8.8.8
        Apr 12, 2021 15:38:45.579962015 CEST53548338.8.8.8192.168.2.3
        Apr 12, 2021 15:38:47.469578028 CEST6247653192.168.2.38.8.8.8
        Apr 12, 2021 15:38:47.519100904 CEST53624768.8.8.8192.168.2.3
        Apr 12, 2021 15:38:55.438565969 CEST4970553192.168.2.38.8.8.8
        Apr 12, 2021 15:38:55.487325907 CEST53497058.8.8.8192.168.2.3
        Apr 12, 2021 15:40:05.805751085 CEST6147753192.168.2.38.8.8.8
        Apr 12, 2021 15:40:05.873660088 CEST53614778.8.8.8192.168.2.3
        Apr 12, 2021 15:40:06.354765892 CEST6163353192.168.2.38.8.8.8
        Apr 12, 2021 15:40:06.411943913 CEST53616338.8.8.8192.168.2.3
        Apr 12, 2021 15:40:07.203736067 CEST5594953192.168.2.38.8.8.8
        Apr 12, 2021 15:40:07.283396006 CEST53559498.8.8.8192.168.2.3
        Apr 12, 2021 15:40:07.666245937 CEST5760153192.168.2.38.8.8.8
        Apr 12, 2021 15:40:07.725917101 CEST53576018.8.8.8192.168.2.3
        Apr 12, 2021 15:40:08.168935061 CEST4934253192.168.2.38.8.8.8
        Apr 12, 2021 15:40:08.262109041 CEST53493428.8.8.8192.168.2.3
        Apr 12, 2021 15:40:08.702919006 CEST5625353192.168.2.38.8.8.8
        Apr 12, 2021 15:40:08.762516975 CEST53562538.8.8.8192.168.2.3
        Apr 12, 2021 15:40:09.129040003 CEST4966753192.168.2.38.8.8.8
        Apr 12, 2021 15:40:09.281012058 CEST53496678.8.8.8192.168.2.3
        Apr 12, 2021 15:40:09.845436096 CEST5543953192.168.2.38.8.8.8
        Apr 12, 2021 15:40:09.903076887 CEST53554398.8.8.8192.168.2.3
        Apr 12, 2021 15:40:10.691759109 CEST5706953192.168.2.38.8.8.8
        Apr 12, 2021 15:40:10.754353046 CEST53570698.8.8.8192.168.2.3
        Apr 12, 2021 15:40:11.133805037 CEST5765953192.168.2.38.8.8.8
        Apr 12, 2021 15:40:11.191056967 CEST53576598.8.8.8192.168.2.3

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Apr 12, 2021 15:38:04.667881966 CEST192.168.2.38.8.8.80x7298Standard query (0)clientconfig.passport.netA (IP address)IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Apr 12, 2021 15:37:35.440346003 CEST8.8.8.8192.168.2.30xeabfNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
        Apr 12, 2021 15:37:36.174431086 CEST8.8.8.8192.168.2.30xac9aNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
        Apr 12, 2021 15:37:37.308007956 CEST8.8.8.8192.168.2.30xf0a5No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
        Apr 12, 2021 15:37:37.897800922 CEST8.8.8.8192.168.2.30xa66fNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
        Apr 12, 2021 15:38:04.728338957 CEST8.8.8.8192.168.2.30x7298No error (0)clientconfig.passport.netauthgfx.msa.akadns6.netCNAME (Canonical name)IN (0x0001)

        Code Manipulations

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: loaddll32.exe PID: 3664 Parent PID: 5768

        General

        Start time:15:37:20
        Start date:12/04/2021
        Path:C:\Windows\System32\loaddll32.exe
        Wow64 process (32bit):true
        Commandline:loaddll32.exe 'C:\Users\user\Desktop\utility.dll'
        Imagebase:0x1030000
        File size:116736 bytes
        MD5 hash:542795ADF7CC08EFCF675D65310596E8
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate

        Analysis Process: cmd.exe PID: 4080 Parent PID: 3664

        General

        Start time:15:37:20
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
        Imagebase:0xbd0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 460 Parent PID: 3664

        General

        Start time:15:37:21
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,CPUSpeed
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 908 Parent PID: 4080

        General

        Start time:15:37:21
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe 'C:\Users\user\Desktop\utility.dll',#1
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 5360 Parent PID: 460

        General

        Start time:15:37:22
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 688
        Imagebase:0x370000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 1956 Parent PID: 908

        General

        Start time:15:37:22
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 696
        Imagebase:0x370000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 4120 Parent PID: 3664

        General

        Start time:15:37:24
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 5816 Parent PID: 4120

        General

        Start time:15:37:25
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 688
        Imagebase:0x370000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 5436 Parent PID: 3664

        General

        Start time:15:37:27
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,Decrypt2BinStr
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 5512 Parent PID: 5436

        General

        Start time:15:37:28
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 688
        Imagebase:0x370000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: rundll32.exe PID: 5988 Parent PID: 3664

        General

        Start time:15:37:30
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DecryptEx
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Analysis Process: WerFault.exe PID: 5352 Parent PID: 5988

        General

        Start time:15:37:31
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 688
        Imagebase:0x370000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 4928 Parent PID: 3664

        General

        Start time:15:37:34
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,Deflate
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: WerFault.exe PID: 3580 Parent PID: 4928

        General

        Start time:15:37:35
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 688
        Imagebase:0x370000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 1268 Parent PID: 3664

        General

        Start time:15:37:37
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DeflateToMemory
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: WerFault.exe PID: 3512 Parent PID: 1268

        General

        Start time:15:37:38
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 688
        Imagebase:0x370000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 3352 Parent PID: 3664

        General

        Start time:15:37:40
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawEnumDisplayModes
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 5716 Parent PID: 3664

        General

        Start time:15:37:44
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawIsSupported
        Imagebase:0x880000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 5324 Parent PID: 3664

        General

        Start time:15:37:47
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawRestoreDisplayMode
        Imagebase:0x1310000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 3544 Parent PID: 3664

        General

        Start time:15:37:50
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectDrawSetDisplayMode
        Imagebase:0x1f0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 6220 Parent PID: 3664

        General

        Start time:15:37:53
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryAdd
        Imagebase:0x1f0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: WerFault.exe PID: 6332 Parent PID: 6220

        General

        Start time:15:37:55
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\WerFault.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 688
        Imagebase:0x1380000
        File size:434592 bytes
        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 6356 Parent PID: 3664

        General

        Start time:15:37:57
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryClear
        Imagebase:0x1f0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Analysis Process: rundll32.exe PID: 6444 Parent PID: 3664

        General

        Start time:15:38:00
        Start date:12/04/2021
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:rundll32.exe C:\Users\user\Desktop\utility.dll,DirectoryDump
        Imagebase:0x1f0000
        File size:61952 bytes
        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Disassembly

        Code Analysis

        Reset < >