Loading ...

Play interactive tourEdit tour

Analysis Report dqH3t8JU1x.exe

Overview

General Information

Sample Name:dqH3t8JU1x.exe
Analysis ID:388215
MD5:06e21af52a3e3e5173a6a53725b1c217
SHA1:273760ea9b8cf2b4e60e48ed7ea96ab92bb3fa1d
SHA256:61c2d5a213f1b68ef98f2800f02697650ccf28eb38ec07635f0bffcdf18a803a
Tags:Cybergateexe
Infos:

Most interesting Screenshot:

Detection

CyberGate
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CyberGate RAT
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • dqH3t8JU1x.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\dqH3t8JU1x.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
    • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • TEXTURAFIVEM.exe (PID: 6984 cmdline: 'C:\Windows\install\TEXTURAFIVEM.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
        • explorer.exe (PID: 2200 cmdline: explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • TEXTURAFIVEM.exe (PID: 5432 cmdline: 'C:\Windows\install\TEXTURAFIVEM.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
            • WerFault.exe (PID: 6740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 620 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • TEXTURAFIVEM.exe (PID: 7096 cmdline: 'C:\Windows\install\TEXTURAFIVEM.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
        • explorer.exe (PID: 1768 cmdline: explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • WerFault.exe (PID: 5856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1104 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • TEXTURAFIVEM.exe (PID: 4024 cmdline: 'C:\Windows\install\TEXTURAFIVEM.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
        • explorer.exe (PID: 4908 cmdline: explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • WerFault.exe (PID: 5968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1112 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • explorer.exe (PID: 5908 cmdline: explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • WerFault.exe (PID: 6872 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 1104 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: CyberGate

{"C2 list": ["eduzao.ddns.net:7000", "eduzao.ddns.net:2020", "eduzao.ddns.net:2200", "eduzao.ddns.net:4400"], "Password": "123", "InstallFlag": "TRUE", "InstallDir": "install", "InstallFileName": "TEXTURAFIVEM.exe", "ActiveXStartup": "{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}", "REGKeyHKLM": "HKLM", "REGKeyHKCU": "HKCU", "EnableMessageBox": "TRUE", "MessageBoxIcon": "16", "MessageBoxButton": "0", "InstallMessageTitle": "TEXTURAFIVEM", "InstallMessage": "ESSE ARQUIVO NAO PODE SER EXECUTADO", "ActivateKeylogger": "TRUE", "KeyloggerBackspace": "TRUE", "KeyloggerEnableFTP": "FALSE", "FTPAddress": "ftp.server.com", "FTPDirectory": "./logs/", "FTPUserName": "ftp_user", "FTPPort": "21", "FTPInterval": "30", "ProcessInjection": "2", "ProcessNameForInjection": "explorer.exe", "Persistance": "FALSE", "HideFile": "FALSE", "ChangeCreationDate": "FALSE", "Mutex": "***MUTEX***", "MeltFile": "TRUE", "CyberGateVersion": "2.6", "StartupPolicies": "Policies", "USBSpread": "FALSE"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0x140f8:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed
  • 0x73fc:$s5: \Internet Explorer\iexplore.exe
  • 0x142a8:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0x140f8:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed
  • 0x73fc:$s5: \Internet Explorer\iexplore.exe
  • 0x142a8:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmpJoeSecurity_CyberGateYara detected CyberGate RATJoe Security
    00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmpJoeSecurity_CyberGateYara detected CyberGate RATJoe Security
      00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        20.2.explorer.exe.24010000.6.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
        • 0x140f8:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed
        • 0x73fc:$s5: \Internet Explorer\iexplore.exe
        • 0x142a8:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
        20.2.explorer.exe.24010000.6.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          25.2.TEXTURAFIVEM.exe.400000.0.unpackRAT_CyberGateDetects CyberGate RATKevin Breen <kevin@techanarchy.net>
          • 0x15ef6:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x15f97:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x15ffa:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x16007:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x1608a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160c1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160ce:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160db:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160e8:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160f5:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x16102:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x1610f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x1611c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x16186:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x16014:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x16097:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x160a5:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x160b3:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x16148:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x16156:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x16164:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          25.2.TEXTURAFIVEM.exe.400000.0.unpackJoeSecurity_CyberGateYara detected CyberGate RATJoe Security
            25.2.TEXTURAFIVEM.exe.400000.0.unpackCyberGateunknown Kevin Breen <kevin@techanarchy.net>
            • 0x15ef6:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x15f97:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x15ffa:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x16007:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x1608a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160c1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160ce:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160db:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160e8:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160f5:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x16102:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x1610f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x1611c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x16186:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x16014:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x16097:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x160a5:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x160b3:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x16148:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x16156:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x16164:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            Click to see the 22 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: dqH3t8JU1x.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Windows\install\TEXTURAFIVEM.exeAvira: detection malicious, Label: WORM/Rebhip.V
            Found malware configurationShow sources
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpackMalware Configuration Extractor: CyberGate {"C2 list": ["eduzao.ddns.net:7000", "eduzao.ddns.net:2020", "eduzao.ddns.net:2200", "eduzao.ddns.net:4400"], "Password": "123", "InstallFlag": "TRUE", "InstallDir": "install", "InstallFileName": "TEXTURAFIVEM.exe", "ActiveXStartup": "{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}", "REGKeyHKLM": "HKLM", "REGKeyHKCU": "HKCU", "EnableMessageBox": "TRUE", "MessageBoxIcon": "16", "MessageBoxButton": "0", "InstallMessageTitle": "TEXTURAFIVEM", "InstallMessage": "ESSE ARQUIVO NAO PODE SER EXECUTADO", "ActivateKeylogger": "TRUE", "KeyloggerBackspace": "TRUE", "KeyloggerEnableFTP": "FALSE", "FTPAddress": "ftp.server.com", "FTPDirectory": "./logs/", "FTPUserName": "ftp_user", "FTPPort": "21", "FTPInterval": "30", "ProcessInjection": "2", "ProcessNameForInjection": "explorer.exe", "Persistance": "FALSE", "HideFile": "FALSE", "ChangeCreationDate": "FALSE", "Mutex": "***MUTEX***", "MeltFile": "TRUE", "CyberGateVersion": "2.6", "StartupPolicies": "Policies", "USBSpread": "FALSE"}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Windows\install\TEXTURAFIVEM.exeReversingLabs: Detection: 100%
            Multi AV Scanner detection for submitted fileShow sources
            Source: dqH3t8JU1x.exeVirustotal: Detection: 90%Perma Link
            Source: dqH3t8JU1x.exeReversingLabs: Detection: 100%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Windows\install\TEXTURAFIVEM.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: dqH3t8JU1x.exeJoe Sandbox ML: detected
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 5.0.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: 25.0.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 1.0.dqH3t8JU1x.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: 4.0.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 9.0.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408AD5 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_00408AD5
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408AF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_00408AF8
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040930B CredEnumerateA,CryptUnprotectData,1_2_0040930B
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040930C CredEnumerateA,CryptUnprotectData,1_2_0040930C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408E58 RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,RegEnumValueA,RegCloseKey,1_2_00408E58
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00408AD5 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,4_2_00408AD5
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00408AF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,4_2_00408AF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_0040930B CredEnumerateA,CryptUnprotectData,4_2_0040930B
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_0040930C CredEnumerateA,CryptUnprotectData,4_2_0040930C
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00408E58 RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,RegEnumValueA,RegCloseKey,4_2_00408E58
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00408AD5 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,5_2_00408AD5
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00408AF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,5_2_00408AF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_0040930B CredEnumerateA,CryptUnprotectData,5_2_0040930B
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_0040930C CredEnumerateA,CryptUnprotectData,5_2_0040930C
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00408E58 RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,RegEnumValueA,RegCloseKey,5_2_00408E58
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00408AD5 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_00408AD5
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00408AF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_00408AF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_0040930B CredEnumerateA,CryptUnprotectData,9_2_0040930B
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_0040930C CredEnumerateA,CryptUnprotectData,9_2_0040930C
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00408E58 RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,RegEnumValueA,RegCloseKey,9_2_00408E58
            Source: dqH3t8JU1x.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
            Source: Binary string: msacm32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdb= source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: msvfw32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001C.00000003.530664291.0000000004FCE000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.553818944.0000000000BCA000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: pstorec.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001C.00000003.530712712.00000000031F1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: SettingSyncCore.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rasapi32.pdbhr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbe source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: avicap32.pdbq source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb{ source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ntmarta.pdbc source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbp source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdbw source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.358325341.0000000007AA0000.00000002.00000001.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb|r# source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdbzr- source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: winmm.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000025.00000002.603618013.0000000000C12000.00000004.00000001.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbRr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdbO source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: Kernel.Appcore.pdbF source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001C.00000003.530725448.00000000031F7000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552560599.0000000000B94000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.564345998.0000000003273000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdbY source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wininet.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb`? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb.rQ source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdbU source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: twinapi.appcore.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdb; source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: msacm32.pdbF? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbLrs source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdbC source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb^r source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: rasman.pdb@r source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: ws2_32.pdbx? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: explorer.pdb source: WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdbA source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdbL? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbm source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdbr? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: userenv.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: SettingSyncCore.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdbpr7 source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbfr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb*Rp source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001C.00000003.530712712.00000000031F1000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552533833.0000000000B8E000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdbP?}& source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvfw32.pdbS source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdbM source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: rasman.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdbi source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbJr} source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.358325341.0000000007AA0000.00000002.00000001.sdmp
            Source: Binary string: twinapi.pdb source: WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: WINMMBASE.pdbY source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: avicap32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001C.00000003.530737964.00000000031FD000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552584359.0000000000B9A000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.566720629.0000000003279000.00000004.00000001.sdmp
            Source: Binary string: iphlpapi.pdb! source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdb} source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: combase.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wsock32.pdbw source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: pstorec.pdbTr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdbS source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp
            Source: explorer.exeBinary or memory string: autorun.inf
            Source: explorer.exeBinary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
            Source: explorer.exeBinary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmpBinary or memory string: H[autorun]
            Source: explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmpBinary or memory string: H[autorun]
            Source: explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmpBinary or memory string: H[autorun]
            Source: explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: H[autorun]
            Source: explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00405D04 FindFirstFileA,FindClose,1_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00405D04 FindFirstFileA,FindClose,4_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00405D04 FindFirstFileA,FindClose,5_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00405D04 FindFirstFileA,FindClose,9_2_00405D04
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24016C78 FindFirstFileA,FindClose,20_2_24016C78
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240145F0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_240145F0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403D390 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,20_2_2403D390
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240163E8 FindFirstFileA,GetLastError,20_2_240163E8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24016C77 FindFirstFileA,FindClose,20_2_24016C77
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015FE2 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,20_2_24015FE2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015FE4 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,20_2_24015FE4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240409E4 FindFirstFileA,FindNextFileA,FindClose,20_2_240409E4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2404092C GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,20_2_2404092C

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: eduzao.ddns.net:7000
            Source: Malware configuration extractorURLs: eduzao.ddns.net:2020
            Source: Malware configuration extractorURLs: eduzao.ddns.net:2200
            Source: Malware configuration extractorURLs: eduzao.ddns.net:4400
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: eduzao.ddns.net
            Source: unknownDNS traffic detected: queries for: eduzao.ddns.net
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000002.00000002.610418959.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to register a low level keyboard hookShow sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040BBF4 SetWindowsHookExA 0000000D,Function_0000B0B8,00400000,000000001_2_0040BBF4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403CDE0 OpenClipboard,GetClipboardData,DragQueryFile,DragQueryFile,CloseClipboard,20_2_2403CDE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403CDE0 OpenClipboard,GetClipboardData,DragQueryFile,DragQueryFile,CloseClipboard,20_2_2403CDE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24037464 GetDesktopWindow,GetDC,CreateCompatibleDC,GetClientRect,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,20_2_24037464
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040B0B8 GetKeyboardState,ToAscii,1_2_0040B0B8
            Source: dqH3t8JU1x.exe, 00000001.00000002.529914221.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2405038C GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,20_2_2405038C
            Source: Yara matchFile source: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.629145832.000000002406B000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.630397058.000000002406B000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.629304269.00000000240DB000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2200, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5908, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1768, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4908, type: MEMORY
            Source: Yara matchFile source: 20.2.explorer.exe.24010000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.explorer.exe.24010000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.explorer.exe.24080000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.explorer.exe.24010000.3.unpack, type: UNPACKEDPE

            E-Banking Fraud:

            barindex
            Yara detected CyberGate RATShow sources
            Source: Yara matchFile source: 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 5432, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 4024, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 6984, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dqH3t8JU1x.exe PID: 6776, type: MEMORY
            Source: Yara matchFile source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015C1C OpenProcess,NtQueryInformationProcess,NtSetInformationProcess,CloseHandle,FindCloseChangeNotification,20_2_24015C1C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403B690 NtdllDefWindowProc_A,20_2_2403B690
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403EAA0 SetPropA,GetPropA,NtdllDefWindowProc_A,20_2_2403EAA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403C950 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,20_2_2403C950
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2401528E ExitWindowsEx,20_2_2401528E
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeFile created: C:\Windows\install\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2405618820_2_24056188
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2402F41420_2_2402F414
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240334CC20_2_240334CC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24035C2420_2_24035C24
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2402FD4420_2_2402FD44
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403597020_2_24035970
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 24013480 appears 140 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 24015008 appears 56 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 240130DC appears 64 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 24013388 appears 37 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 2402562C appears 392 times
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: String function: 00401AE4 appears 37 times
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: String function: 00403610 appears 38 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401E10 appears 60 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401AC0 appears 81 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00403630 appears 33 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401B58 appears 39 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401898 appears 33 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401AE4 appears 111 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00403610 appears 114 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 620
            Source: dqH3t8JU1x.exeStatic PE information: Resource name: RT_ICON type: SVR2 pure executable (Amdahl-UTS) not stripped - version 428919424
            Source: TEXTURAFIVEM.exe.1.drStatic PE information: Resource name: RT_ICON type: SVR2 pure executable (Amdahl-UTS) not stripped - version 428919424
            Source: dqH3t8JU1x.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
            Source: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.2.explorer.exe.24010000.6.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 30.2.explorer.exe.24010000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.2.explorer.exe.24010000.6.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 22.2.explorer.exe.24010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.2.explorer.exe.24080000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.2.explorer.exe.24080000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 22.2.explorer.exe.24010000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 30.2.explorer.exe.24010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/24@4/0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015B30 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,20_2_24015B30
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403C424 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,20_2_2403C424
            Source: C:\Windows\SysWOW64\explorer.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,20_2_2403CBE4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404460 FindResourceA,SizeofResource,LoadResource,LockResource,FreeResource,1_2_00404460
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403C858 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,20_2_2403C858
            Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Roaming\logs.datJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMutant created: \Sessions\1\BaseNamedObjects\_x_X_UPDATE_X_x_
            Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\***MUTEX***
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4908
            Source: C:\Windows\install\TEXTURAFIVEM.exeMutant created: \Sessions\1\BaseNamedObjects\_x_X_BLOCKMOUSE_X_x_
            Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\_x_X_PASSWORDLIST_X_x_
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1768
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5908
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5432
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeFile created: C:\Users\user\AppData\Local\Temp\XX--XX--XX.txtJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: dqH3t8JU1x.exeVirustotal: Detection: 90%
            Source: dqH3t8JU1x.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeFile read: C:\Users\user\Desktop\dqH3t8JU1x.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\dqH3t8JU1x.exe 'C:\Users\user\Desktop\dqH3t8JU1x.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe'
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe'
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 620
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 1104
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1104
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1112
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Binary string: msacm32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdb= source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: msvfw32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001C.00000003.530664291.0000000004FCE000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.553818944.0000000000BCA000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: pstorec.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001C.00000003.530712712.00000000031F1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: SettingSyncCore.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rasapi32.pdbhr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbe source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: avicap32.pdbq source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb{ source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ntmarta.pdbc source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbp source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdbw source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.358325341.0000000007AA0000.00000002.00000001.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb|r# source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdbzr- source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: winmm.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000025.00000002.603618013.0000000000C12000.00000004.00000001.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbRr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdbO source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: Kernel.Appcore.pdbF source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001C.00000003.530725448.00000000031F7000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552560599.0000000000B94000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.564345998.0000000003273000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdbY source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wininet.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb`? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb.rQ source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdbU source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: twinapi.appcore.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdb; source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: msacm32.pdbF? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbLrs source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdbC source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb^r source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: rasman.pdb@r source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: ws2_32.pdbx? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: explorer.pdb source: WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdbA source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdbL? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbm source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdbr? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: userenv.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: SettingSyncCore.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdbpr7 source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbfr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb*Rp source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001C.00000003.530712712.00000000031F1000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552533833.0000000000B8E000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdbP?}& source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvfw32.pdbS source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdbM source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: rasman.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdbi source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbJr} source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.358325341.0000000007AA0000.00000002.00000001.sdmp
            Source: Binary string: twinapi.pdb source: WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: WINMMBASE.pdbY source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: avicap32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001C.00000003.530737964.00000000031FD000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552584359.0000000000B9A000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.566720629.0000000003279000.00000004.00000001.sdmp
            Source: Binary string: iphlpapi.pdb! source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdb} source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: combase.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wsock32.pdbw source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: pstorec.pdbTr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdbS source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00455C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00455C10
            <
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404846 push 00404874h; ret 1_2_0040486C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404848 push 00404874h; ret 1_2_0040486C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004048E4 push 00404910h; ret 1_2_00404908
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004050EC push 00405118h; ret 1_2_00405110
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040B080 push 0040B0ACh; ret 1_2_0040B0A4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0045288C push cs; retf 1_2_0045288D
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004058A8 push 004058D4h; ret 1_2_004058CC
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00409948 push 00409974h; ret 1_2_0040996C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00407100 push 0040712Ch; ret 1_2_00407124
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408918 push 00408954h; ret 1_2_0040894C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040891C push 00408954h; ret 1_2_0040894C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00407138 push 00407164h; ret 1_2_0040715C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004071C4 push 004071F0h; ret 1_2_004071E8
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040718C push 004071B8h; ret 1_2_004071B0
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040898E push 004089BCh; ret 1_2_004089B4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408990 push 004089BCh; ret 1_2_004089B4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00452A04 push ds; retf 1_2_00452A12
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040720A push 00407238h; ret 1_2_00407230