Play interactive tour

Edit tour

Windows Analysis Report 8XMlaeHQXZ.exe

Overview

General Information

Sample Name:	8XMlaeHQXZ.exe
Analysis ID:	528756
MD5:	5643bf734d793e845166a228f3df83b3
SHA1:	4415ad682fd64baedf5c209bc0c2a3b619cf03e2
SHA256:	db79e0c2243229f8ba6a52deede597287b93801aa182af42f278542f31fb3324
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

PE file has nameless sections

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Sample file is different than original file name gathered from version info

One or more processes crash

PE file contains an invalid checksum

Checks if the current process is being debugged

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file overlay found

Classification

Process Tree

System is w10x64

8XMlaeHQXZ.exe (PID: 5476 cmdline: "C:\Users\user\Desktop\8XMlaeHQXZ.exe" MD5: 5643BF734D793E845166A228F3DF83B3)

WerFault.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 212 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for sample

Show sources

Source: 8XMlaeHQXZ.exe

Joe Sandbox ML: detected

Source: 8XMlaeHQXZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

Source: 8XMlaeHQXZ.exe, 00000000.00000000.671939274.0000000000ABA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

PE file has nameless sections

Show sources

Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:

Source: 8XMlaeHQXZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 8XMlaeHQXZ.exe

Static PE information: No import functions for PE file found

Source: 8XMlaeHQXZ.exe, 00000000.00000000.669090161.0000000000426000.00000080.00020000.sdmp	Binary or memory string: OriginalFilenamePantsuits.exe4 vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exe, 00000000.00000000.669090161.0000000000426000.00000080.00020000.sdmp	Binary or memory string: OriginalFilenameGeForce Experience PermissionT vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exe	Binary or memory string: OriginalFilenamePantsuits.exe4 vs 8XMlaeHQXZ.exe
Source: 8XMlaeHQXZ.exe	Binary or memory string: OriginalFilenameGeForce Experience PermissionT vs 8XMlaeHQXZ.exe

Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 212

Source: 8XMlaeHQXZ.exe

Static PE information: Data appended to the last section found

Source: 8XMlaeHQXZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: 8XMlaeHQXZ.exe	Static PE information: Section: ZLIB complexity 1.00057768486
Source: 8XMlaeHQXZ.exe	Static PE information: Section: ZLIB complexity 1.0107421875
Source: 8XMlaeHQXZ.exe	Static PE information: Section: ZLIB complexity 1.00716145833
Source: 8XMlaeHQXZ.exe	Static PE information: Section: ZLIB complexity 1.021484375
Source: 8XMlaeHQXZ.exe	Static PE information: Section: ZLIB complexity 1.00037704324

Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8XMlaeHQXZ.exe "C:\Users\user\Desktop\8XMlaeHQXZ.exe"
Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 212

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5476

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5561.tmp

Jump to behavior

Source: classification engine

Classification label: mal48.winEXE@2/6@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 8XMlaeHQXZ.exe

Static PE information: Raw size of is bigger than: 0x100000 < 0x104c00

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000004.00000003.677332982.0000000005501000.00000004.00000001.sdmp

Source: 8XMlaeHQXZ.exe

Static PE information: real checksum: 0x122111 should be: 0x3a656

Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name:
Source: 8XMlaeHQXZ.exe	Static PE information: section name: .m8o02uE
Source: 8XMlaeHQXZ.exe	Static PE information: section name: .adata

Source: 8XMlaeHQXZ.exe

Static PE information: 0xFBDADAB2 [Sun Nov 25 08:54:10 2103 UTC]

Source: initial sample	Static PE information: section name: entropy: 7.99485148323
Source: initial sample	Static PE information: section name: entropy: 7.80837604511
Source: initial sample	Static PE information: section name: entropy: 7.87119921588
Source: initial sample	Static PE information: section name: entropy: 7.59715435366
Source: initial sample	Static PE information: section name: entropy: 7.99861729183

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\8XMlaeHQXZ.exe

Process queried: DebugPort

Jump to behavior

Source: Amcache.hve.4.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing2	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
8XMlaeHQXZ.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528756
Start date:	25.11.2021
Start time:	18:41:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	8XMlaeHQXZ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@2/6@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 100%) Quality average: 68.5% Quality standard deviation: 31.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 52.182.143.212 Excluded domains from analysis (whitelisted): s-ring.msedge.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, t-ring.msedge.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, teams-ring.msedge.net VT rate limit hit for: /opt/package/joesandbox/database/analysis/528756/sample/8XMlaeHQXZ.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8XMlaeHQXZ.exe_eef3a584e8e34ce43e333fc8ab4acb864824d3c_c1f65c8e_18866dcb\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6304077596503469
Encrypted:	false
SSDEEP:	96:p04qtFcLEz4zH6DfhoDt7NflpXIQcQvc6QcEDMcw3DT+HbHg6ZAXGng5FMTPSkvt:4RoLHBUZMXQjE/u7spS274Itk
MD5:	F1DC039B554AB890258EC09467DB6C24
SHA1:	9DE682535714470077C857B83C0EE23239302C46
SHA-256:	1141883D1E50A954C4DBB6B053069AE03E791D311B897BD966AB40F6684C0508
SHA-512:	196BA3EF666620563FDE48E274A757F71EABD53E2B99EDB1CB8C977219018A72955A25C4C5007DECA68E6794C406AAF11F85706BC4C95E6273E6530BF9FF3594
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.3.3.5.7.5.6.1.8.7.4.3.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.3.3.5.7.6.0.9.8.4.3.3.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.d.0.9.4.5.4.-.f.2.6.d.-.4.a.f.a.-.8.3.a.f.-.4.f.8.c.4.5.b.d.e.c.b.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.3.f.5.4.0.3.-.d.d.b.5.-.4.9.b.e.-.8.7.f.3.-.5.1.9.4.b.f.b.2.7.d.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.X.M.l.a.e.H.Q.X.Z...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.a.n.t.s.u.i.t.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.6.4.-.0.0.0.1.-.0.0.1.b.-.6.c.e.0.-.0.d.d.3.2.3.e.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.c.7.a.d.a.8.c.9.2.6.6.3.e.6.0.e.e.c.0.e.1.9.1.d.3.c.0.1.2.9.a.0.0.0.0.0.0.0.0.!.0.0.0.0.4.4.1.5.a.d.6.8.2.f.d.6.4.b.a.e.d.f.5.c.2.0.9.b.c.0.c.2.a.3.b.6.1.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5561.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Nov 25 17:42:36 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	18328
Entropy (8bit):	2.1641229775618633
Encrypted:	false
SSDEEP:	96:558ib85GYJP5Hh5XF1Bi7kZdyvuqaRCMAEAmVLmtPi2WI9AIX4I455mtDD2:Ei4JRHLZOYyeRCEAHPiP5sVD2
MD5:	D8FEB31937852F9EE1C60A37EC4FC21D
SHA1:	05CECB87B4587ADB1845974F9D919263D82C6E7F
SHA-256:	E1680A8D9A1AFD37519000F198FFC2F6D2EC049998CBD8995F014089F4FB7DA8
SHA-512:	FFF5DA7DBD203A947BB4FCF91ACE98C13BBBAAA5D449CAD4702147D1826088C7FF85AEBA25D55E45ED23EFC37568E251783EACE9E1773AFB1A0D9310C10069EE
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........a............4........... ...<.......d...............T.......8...........T................>..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......d.....a.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER57B4.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.703152281919351
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiXd6RuW6YroSUSc/gmfsSb+pra89bxgsfF7m:RrlsNiN6Rf6YkSUSc/gmfsS8xzfU
MD5:	A46B781979DC0E5691DFB61F9FBAF0C0
SHA1:	F4F732F491767AE66C5C19B781DF5C5758E0995A
SHA-256:	8262F032BE88AE2D934DF2E18E973ED5E91C9FAE257412B4CB65490E3D6698A4
SHA-512:	782A69263EAE0FCA12FDC3E95AAC31CDFDA2343EC316512195C18A7E4C6C4D21ADF253B0BCFC086F876B5CF01087562889D48AF5E35715905B986EEC84168628
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A16.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4632
Entropy (8bit):	4.472291243795573
Encrypted:	false
SSDEEP:	48:cvIwSD8zsEJgtWI9OjsWSC8B48fm8M4J2dmHaZFE+q8D6lEEHS4SESKd:uITfCNjFSNrJsokEHmvKd
MD5:	31D97342DF63ECDB23A535339416ADCF
SHA1:	18A56F887B7C70A5B417FF5E2C5B77F0FF637BBB
SHA-256:	A6286CC1F02B83AD8A0F326E2DEAADD54D45F5167E92D1CC174F522A5D9EAEE7
SHA-512:	B1D26825A656CDFC50602D59C97CD10AB5C445AB83F526384E5F8922A91D7947FA7DDB55C3344D1ED887C934778DD2882B6074181FE96B2FF4BB1DE95DBCF427
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1270253" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.2443178379206605
Encrypted:	false
SSDEEP:	12288:bQNromkFU+mGUMsSF+91cBMpmoQ3vycGLa3gDDJ3KCE7EMTc:MNromkFU+mJMsSYXm
MD5:	518E34E6AF9A3C808A4F2997E1553053
SHA1:	AAB369444CE6E9C6A4BE56CA8DE4E4D26AB47171
SHA-256:	93B9496270FBD85CAD54089F9C98A5547B9C32616716269CF5B8FB128238C23F
SHA-512:	3F6142F644E875E348835B17ABD739D072736743F0F36FF16A3F749C3F1DDD57EDEC9040DA9460BB0D895E4A670EA3E050086AA2E241CC5705523965B1D71969
Malicious:	false
Reputation:	low
Preview:	regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm^...#...............................................................................................................................................................................................................................................................................................................................................=0.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.7636913015141964
Encrypted:	false
SSDEEP:	768:n/2JONT2Xd5sCgQwqhQ4g/eeDze6NYtjdGKw6ksK:0OkXNfQ9hDYc
MD5:	578A8605EBFB68DE0665EEFB540C7A12
SHA1:	DA5A7C98CD2F07DF3F466736E24260BBA2029473
SHA-256:	270BCDE1586464434CE203C339694E3C730974A218A8C61184E3C6868AF8E2BF
SHA-512:	B03E1D9AD5B5F608D838766C95F9E59B4358E9AF04813142DD61EDBCCE94B9C4C328F9071AA1FD516872643F28C3566EC6FBF8FB2F4D87EC60DB22422191745C
Malicious:	false
Reputation:	low
Preview:	regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm^...#...............................................................................................................................................................................................................................................................................................................................................;0.HvLE.n......G............A]#..z.G_.=u............... ............... ..hbin................p.\..,..........nk,..s..#................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..s..#....... ........................... .......Z.......................Root........lf......Root....nk ..s..#................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9827946846106395
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8XMlaeHQXZ.exe
File size:	178783
MD5:	5643bf734d793e845166a228f3df83b3
SHA1:	4415ad682fd64baedf5c209bc0c2a3b619cf03e2
SHA256:	db79e0c2243229f8ba6a52deede597287b93801aa182af42f278542f31fb3324
SHA512:	f144347f7f636e64d2373a3f72a65c17534cc3692939ab6dfa071ddb2ec204801271440597ad327897638b032e1e3cfb3de4c23a4f5f1fdc293e1feca0fb433e
SSDEEP:	3072:ZZTL5fTrvJNV/8aoc42iA/ZFDqLQN3N2GvshHDiRCxc9Vlale6fWmPCuRE3B2:ZZJrrvJY1szqLQNgASGEcPleVhP430
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............. ... ........@.. .......................`@.. ...!.....................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x402000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0xFBDADAB2 [Sun Nov 25 08:54:10 2103 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push 007B8001h
call 00007FCC40AD8216h
ret
ret
mov esp, 5B52EC24h
and eax, 85D09008h
call dword ptr [esi]
dec ecx
or eax, 54516EE4h
or dword ptr [esi-716443B1h], ebp
das
cmp ecx, ebx
fcomp5 st(7)
push 26A43768h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b8c7c	0xd8	.m8o02uE
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x88a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x100000

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x1a000	0x8e00	False	1.00057768486	data	7.99485148323	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x1c000	0x2000	0x400	False	1.0107421875	data	7.80837604511	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x1e000	0x2000	0x200	False	0.81640625	data	6.18655348449	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x20000	0x4000	0x600	False	1.00716145833	data	7.87119921588	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x24000	0x2000	0x200	False	1.021484375	data	7.59715435366	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x2000	0xa00	False	0.305859375	data	3.58730721769	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x28000	0x28a000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
	0x2b2000	0x106000	0x104c00	False	1.00037704324	data	7.99861729183	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.m8o02uE	0x3b8000	0x4c000	0x4a600	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.adata	0x404000	0x2000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x260b8	0x24c	data
RT_VERSION	0x26304	0x39c	data	English	United States
RT_MANIFEST	0x266a0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	English	United States

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	0.0.0.0
InternalName	Pantsuits.exe
FileVersion	0.0.0.0
ProductVersion	0.0.0.0
FileDescription
OriginalFilename	Pantsuits.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 8XMlaeHQXZ.exe PID: 5476 Parent PID: 5480

General

Start time:	18:42:32
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\8XMlaeHQXZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8XMlaeHQXZ.exe"
Imagebase:	0x400000
File size:	178783 bytes
MD5 hash:	5643BF734D793E845166A228F3DF83B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exe PID: 6648 Parent PID: 5476

General

Start time:	18:42:34
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 212
Imagebase:	0x1180000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 8XMlaeHQXZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: 8XMlaeHQXZ.exe PID: 5476 Parent PID: 5480

General

Chronological Activities

Analysis Process: WerFault.exe PID: 6648 Parent PID: 5476

General

Chronological Activities

Disassembly

Code Analysis