Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SdEkI4IDqd.exe

Overview

General Information

Sample Name:SdEkI4IDqd.exe
Analysis ID:559536
MD5:003a7c37f9c06d75aaaa6f9b25dc3c41
SHA1:a847ef8c72d26731963b189caff925a8a757d563
SHA256:4f29b22b6b787babc2f984172f8ae0e3999b7621aeb6775ce023f2ef5db0b2e7
Infos:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
One or more processes crash
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard

Classification

  • System is w10x64native
  • SdEkI4IDqd.exe (PID: 4720 cmdline: "C:\Users\user\Desktop\SdEkI4IDqd.exe" MD5: 003A7C37F9C06D75AAAA6F9B25DC3C41)
    • WerFault.exe (PID: 3460 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 132 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup
{"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47.bin"}
SourceRuleDescriptionAuthorStrings
00000002.00000000.334615569450.00000000046A0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000002.00000000.334613473567.00000000046A0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000002.00000002.334851169211.00000000046A0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        No Sigma rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 00000002.00000000.334615569450.00000000046A0000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47.bin"}
        Source: SdEkI4IDqd.exeReversingLabs: Detection: 11%
        Source: SdEkI4IDqd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: SdEkI4IDqd.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000006.00000003.334643079195.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334650934945.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ntmarta.pdb% source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ntmarta.pdb( source: WerFault.exe, 00000006.00000003.334646229279.0000000005D93000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334654688118.0000000005D93000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.334627998424.0000000002854000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334623351126.0000000002854000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.334638661765.000000000566C000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334641760247.000000000566C000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.334630548348.0000000005309000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627358211.0000000005309000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.334628172631.0000000002865000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.334627948803.000000000284E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334622593090.000000000284E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712001293.0000000004901000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334623321245.000000000284E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdbA source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000006.00000003.334676424291.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334681726772.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334679956588.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712001293.0000000004901000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dwmapi.pdb( source: WerFault.exe, 00000006.00000003.334629064137.000000000567D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334648186253.000000000567D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: userenv.pdb( source: WerFault.exe, 00000006.00000003.334638498888.000000000565B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334632159495.000000000565B000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.334628128277.000000000285F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 00000006.00000003.334630548348.0000000005309000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627358211.0000000005309000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: riched20.pdbk source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb( source: WerFault.exe, 00000006.00000003.334638661765.000000000566C000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334641760247.000000000566C000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: usp10.pdb( source: WerFault.exe, 00000006.00000003.334645390229.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334675936492.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000006.00000003.334646229279.0000000005D93000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334654688118.0000000005D93000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000006.00000003.334643079195.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334650934945.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: WLDP.pdb( source: WerFault.exe, 00000006.00000003.334640919789.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334671189047.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.334628043555.0000000002859000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.334644924687.0000000005DA4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334661215483.0000000005DA4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: TextShaping.pdb source: WerFault.exe, 00000006.00000003.334683206580.00000000064B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334686124336.00000000064B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: usp10.pdb source: WerFault.exe, 00000006.00000003.334645390229.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334675936492.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shcore.pdbm source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CoreMessaging.pdb( source: WerFault.exe, 00000006.00000003.334676424291.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334681726772.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334679956588.0000000006392000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.334629064137.000000000567D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334648186253.000000000567D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: CoreUIComponents.pdb( source: WerFault.exe, 00000006.00000003.334668526803.0000000006338000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334679884377.0000000006338000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: oleacc.pdb( source: WerFault.exe, 00000006.00000003.334642118918.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334634677761.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635488090.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645815155.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334629149430.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334651855547.0000000005688000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000006.00000003.334628128277.000000000285F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: propsys.pdbO source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: userenv.pdbu source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dwmapi.pdbg source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb( source: WerFault.exe, 00000006.00000003.334630683994.0000000005314000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334632969680.0000000005314000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.334627651858.0000000005325000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635658549.0000000005325000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: oleacc.pdb) source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: version.pdb# source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: TextShaping.pdb( source: WerFault.exe, 00000006.00000003.334683206580.00000000064B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334686124336.00000000064B2000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000006.00000003.334631755703.000000000558D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334639811501.000000000558D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.334632264968.0000000005666000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.334633229612.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627701921.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635697918.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334630919130.000000000532B000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.334655100260.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334669235798.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: WLDP.pdbs source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.334627998424.0000000002854000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334623351126.0000000002854000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msls31.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: TextInputFramework.pdb( source: WerFault.exe, 00000006.00000003.334676233311.00000000062DD000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334678064662.00000000062DD000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.334641819621.0000000005672000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645674422.0000000005672000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ole32.pdb( source: WerFault.exe, 00000006.00000003.334627651858.0000000005325000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635658549.0000000005325000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb( source: WerFault.exe, 00000006.00000003.334654898135.0000000005DA9000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334661290996.0000000005DA9000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 00000006.00000003.334630495863.0000000005303000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627298226.0000000005303000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000006.00000003.334645056560.0000000005DAF000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334665880795.0000000005DAF000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb( source: WerFault.exe, 00000006.00000003.334626769511.00000000028F5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: propsys.pdb( source: WerFault.exe, 00000006.00000003.334632399665.0000000005677000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645707280.0000000005677000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.334654898135.0000000005DA9000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334661290996.0000000005DA9000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: riched20.pdb source: WerFault.exe, 00000006.00000003.334672930322.0000000005DC5000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb( source: WerFault.exe, 00000006.00000003.334644924687.0000000005DA4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334661215483.0000000005DA4000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000006.00000003.334641819621.0000000005672000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645674422.0000000005672000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.334630739209.000000000531A000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334633037721.000000000531A000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: oleaut32.pdb( source: WerFault.exe, 00000006.00000003.334656733114.0000000006113000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334672767243.0000000006113000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: oleacc.pdb source: WerFault.exe, 00000006.00000003.334642118918.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334634677761.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635488090.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645815155.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334629149430.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334651855547.0000000005688000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.334626769511.00000000028F5000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb] source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.334630495863.0000000005303000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627298226.0000000005303000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000006.00000003.334638313404.00000000055F4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334628709433.00000000055F4000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.334638313404.00000000055F4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334628709433.00000000055F4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: userenv.pdb source: WerFault.exe, 00000006.00000003.334638498888.000000000565B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334632159495.000000000565B000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000006.00000003.334668526803.0000000006338000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334679884377.0000000006338000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.334630683994.0000000005314000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334632969680.0000000005314000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.334635179965.0000000005661000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334641228434.0000000005661000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000006.00000003.334655100260.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334669235798.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb( source: WerFault.exe, 00000006.00000003.334629683558.00000000028EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334626673231.00000000028EA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: comctl32v582.pdb( source: WerFault.exe, 00000006.00000003.334631755703.000000000558D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334639811501.000000000558D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: combase.pdb( source: WerFault.exe, 00000006.00000003.334633229612.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627701921.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635697918.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334630919130.000000000532B000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.334627948803.000000000284E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334622593090.000000000284E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334623321245.000000000284E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000006.00000003.334628172631.0000000002865000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000006.00000003.334635179965.0000000005661000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334641228434.0000000005661000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdbK source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.334627561731.000000000531F000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 00000006.00000003.334640919789.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334671189047.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.334629683558.00000000028EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334626673231.00000000028EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdbW source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shfolder.pdb source: WerFault.exe, 00000006.00000003.334637475296.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334658178052.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.334632399665.0000000005677000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645707280.0000000005677000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wUxTheme.pdb1 source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.334667386223.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334677830294.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334638063386.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000006.00000003.334676233311.00000000062DD000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334678064662.00000000062DD000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.334645056560.0000000005DAF000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334665880795.0000000005DAF000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shfolder.pdb( source: WerFault.exe, 00000006.00000003.334637475296.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334658178052.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.334641452538.0000000005682000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000006.00000003.334630739209.000000000531A000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334633037721.000000000531A000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: msctf.pdb( source: WerFault.exe, 00000006.00000003.334667386223.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334677830294.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334638063386.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CLBCatQ.pdby source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shfolder.pdb? source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.334656733114.0000000006113000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334672767243.0000000006113000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: setupapi.pdb[ source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_00406873 FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_0040290B FindFirstFileW,

        Networking

        barindex
        Source: Malware configuration extractorURLs: https://dariamob.ro/wed/eee_XScUCMEVL47.bin
        Source: SdEkI4IDqd.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: SdEkI4IDqd.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: WerFault.exe, 00000006.00000002.334846106125.0000000002837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: WerFault.exe, 00000006.00000002.334845899854.0000000002808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: SdEkI4IDqd.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: SdEkI4IDqd.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: SdEkI4IDqd.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: SdEkI4IDqd.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: SdEkI4IDqd.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: SdEkI4IDqd.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: SdEkI4IDqd.exeString found in binary or memory: http://ocsp.digicert.com0O
        Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.drString found in binary or memory: http://upx.sf.net
        Source: SdEkI4IDqd.exeString found in binary or memory: http://www.digicert.com/CPS0
        Source: SdEkI4IDqd.exeString found in binary or memory: https://www.digicert.com/CPS0
        Source: WerFault.exe, 00000006.00000003.334642355623.0000000005BE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
        Source: SdEkI4IDqd.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 132
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_0040755C
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_00406D85
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_70E71BFF
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A584A
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A5855
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A5E2F
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A6034
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A801C
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A42ED
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A82D0
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A04AF
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A5CB0
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A7D7D
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A554A
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A4543
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A5B2F
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A4D3E
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A5BD9
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A6F88
        Source: SdEkI4IDqd.exeStatic PE information: invalid certificate
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A584A NtAllocateVirtualMemory,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A5855 NtAllocateVirtualMemory,
        Source: SdEkI4IDqd.exeReversingLabs: Detection: 11%
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeFile read: C:\Users\user\Desktop\SdEkI4IDqd.exeJump to behavior
        Source: SdEkI4IDqd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\SdEkI4IDqd.exe "C:\Users\user\Desktop\SdEkI4IDqd.exe"
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 132
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4720
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeFile created: C:\Users\user\AppData\Local\Temp\nsp9395.tmpJump to behavior
        Source: classification engineClassification label: mal68.troj.winEXE@2/9@0/0
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_004021AA CoCreateInstance,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
        Source: SdEkI4IDqd.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: CLBCatQ.pdb( source: WerFault.exe, 00000006.00000003.334643079195.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334650934945.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ntmarta.pdb% source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ntmarta.pdb( source: WerFault.exe, 00000006.00000003.334646229279.0000000005D93000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334654688118.0000000005D93000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.334627998424.0000000002854000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334623351126.0000000002854000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.334638661765.000000000566C000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334641760247.000000000566C000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.334630548348.0000000005309000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627358211.0000000005309000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.334628172631.0000000002865000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.334627948803.000000000284E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334622593090.000000000284E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712001293.0000000004901000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334623321245.000000000284E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdbA source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000006.00000003.334676424291.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334681726772.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334679956588.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712001293.0000000004901000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dwmapi.pdb( source: WerFault.exe, 00000006.00000003.334629064137.000000000567D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334648186253.000000000567D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: userenv.pdb( source: WerFault.exe, 00000006.00000003.334638498888.000000000565B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334632159495.000000000565B000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.334628128277.000000000285F000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 00000006.00000003.334630548348.0000000005309000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627358211.0000000005309000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: riched20.pdbk source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdb( source: WerFault.exe, 00000006.00000003.334638661765.000000000566C000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334641760247.000000000566C000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: usp10.pdb( source: WerFault.exe, 00000006.00000003.334645390229.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334675936492.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000006.00000003.334646229279.0000000005D93000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334654688118.0000000005D93000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000006.00000003.334643079195.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334650934945.0000000005D8D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: WLDP.pdb( source: WerFault.exe, 00000006.00000003.334640919789.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334671189047.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.334628043555.0000000002859000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.334644924687.0000000005DA4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334661215483.0000000005DA4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: TextShaping.pdb source: WerFault.exe, 00000006.00000003.334683206580.00000000064B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334686124336.00000000064B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: usp10.pdb source: WerFault.exe, 00000006.00000003.334645390229.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334675936492.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shcore.pdbm source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CoreMessaging.pdb( source: WerFault.exe, 00000006.00000003.334676424291.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334681726772.0000000006392000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334679956588.0000000006392000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.334629064137.000000000567D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334648186253.000000000567D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: CoreUIComponents.pdb( source: WerFault.exe, 00000006.00000003.334668526803.0000000006338000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334679884377.0000000006338000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: oleacc.pdb( source: WerFault.exe, 00000006.00000003.334642118918.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334634677761.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635488090.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645815155.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334629149430.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334651855547.0000000005688000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000006.00000003.334628128277.000000000285F000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: propsys.pdbO source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: userenv.pdbu source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: dwmapi.pdbg source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb( source: WerFault.exe, 00000006.00000003.334630683994.0000000005314000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334632969680.0000000005314000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.334627651858.0000000005325000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635658549.0000000005325000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: oleacc.pdb) source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: version.pdb# source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: TextShaping.pdb( source: WerFault.exe, 00000006.00000003.334683206580.00000000064B2000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334686124336.00000000064B2000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000006.00000003.334631755703.000000000558D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334639811501.000000000558D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.334632264968.0000000005666000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.334633229612.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627701921.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635697918.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334630919130.000000000532B000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.334655100260.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334669235798.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: WLDP.pdbs source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.334627998424.0000000002854000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334623351126.0000000002854000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msls31.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: TextInputFramework.pdb( source: WerFault.exe, 00000006.00000003.334676233311.00000000062DD000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334678064662.00000000062DD000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.334641819621.0000000005672000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645674422.0000000005672000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ole32.pdb( source: WerFault.exe, 00000006.00000003.334627651858.0000000005325000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635658549.0000000005325000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb( source: WerFault.exe, 00000006.00000003.334654898135.0000000005DA9000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334661290996.0000000005DA9000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 00000006.00000003.334630495863.0000000005303000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627298226.0000000005303000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb( source: WerFault.exe, 00000006.00000003.334645056560.0000000005DAF000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334665880795.0000000005DAF000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb( source: WerFault.exe, 00000006.00000003.334626769511.00000000028F5000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: propsys.pdb( source: WerFault.exe, 00000006.00000003.334632399665.0000000005677000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645707280.0000000005677000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.334654898135.0000000005DA9000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334661290996.0000000005DA9000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: riched20.pdb source: WerFault.exe, 00000006.00000003.334672930322.0000000005DC5000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shlwapi.pdb( source: WerFault.exe, 00000006.00000003.334644924687.0000000005DA4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334661215483.0000000005DA4000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb( source: WerFault.exe, 00000006.00000003.334641819621.0000000005672000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645674422.0000000005672000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.334630739209.000000000531A000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334633037721.000000000531A000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: oleaut32.pdb( source: WerFault.exe, 00000006.00000003.334656733114.0000000006113000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334672767243.0000000006113000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: oleacc.pdb source: WerFault.exe, 00000006.00000003.334642118918.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334634677761.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635488090.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645815155.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334629149430.0000000005688000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334651855547.0000000005688000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.334626769511.00000000028F5000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: apphelp.pdb] source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.334630495863.0000000005303000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627298226.0000000005303000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000006.00000003.334638313404.00000000055F4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334628709433.00000000055F4000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.334638313404.00000000055F4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334628709433.00000000055F4000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: userenv.pdb source: WerFault.exe, 00000006.00000003.334638498888.000000000565B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334632159495.000000000565B000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000006.00000003.334668526803.0000000006338000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334679884377.0000000006338000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.334630683994.0000000005314000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334632969680.0000000005314000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.334635179965.0000000005661000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334641228434.0000000005661000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: Windows.Storage.pdb( source: WerFault.exe, 00000006.00000003.334655100260.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334669235798.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb( source: WerFault.exe, 00000006.00000003.334629683558.00000000028EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334626673231.00000000028EA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: comctl32v582.pdb( source: WerFault.exe, 00000006.00000003.334631755703.000000000558D000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334639811501.000000000558D000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: combase.pdb( source: WerFault.exe, 00000006.00000003.334633229612.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334627701921.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334635697918.000000000532B000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334630919130.000000000532B000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000006.00000003.334627948803.000000000284E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334622593090.000000000284E000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334623321245.000000000284E000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msvcrt.pdb( source: WerFault.exe, 00000006.00000003.334628172631.0000000002865000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000006.00000003.334635179965.0000000005661000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334641228434.0000000005661000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ws2_32.pdbK source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.334627561731.000000000531F000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: WLDP.pdb source: WerFault.exe, 00000006.00000003.334640919789.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334671189047.0000000005DC0000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.334629683558.00000000028EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334626673231.00000000028EA000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712226163.0000000004AD0000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: bcrypt.pdbW source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shfolder.pdb source: WerFault.exe, 00000006.00000003.334637475296.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334658178052.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.334632399665.0000000005677000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334645707280.0000000005677000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wUxTheme.pdb1 source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.334667386223.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334677830294.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334638063386.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000006.00000003.334676233311.00000000062DD000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334678064662.00000000062DD000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: version.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.334645056560.0000000005DAF000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334665880795.0000000005DAF000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shfolder.pdb( source: WerFault.exe, 00000006.00000003.334637475296.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334658178052.0000000005D9E000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.334641452538.0000000005682000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wgdi32.pdb( source: WerFault.exe, 00000006.00000003.334630739209.000000000531A000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334633037721.000000000531A000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: msctf.pdb( source: WerFault.exe, 00000006.00000003.334667386223.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334677830294.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334638063386.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CLBCatQ.pdby source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: shfolder.pdb? source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.334656733114.0000000006113000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000006.00000003.334672767243.0000000006113000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: setupapi.pdb[ source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.334712329389.0000000004AD8000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Source: Yara matchFile source: 00000002.00000000.334615569450.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000000.334613473567.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.334851169211.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_70E730C0 push eax; ret
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A304F push es; retn 0010h
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A6436 push edi; retf
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A300E push ecx; ret
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A10AF push edx; ret
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A6487 push esi; iretd
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A07E3 push cs; retf
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_70E71BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeFile created: C:\Users\user\AppData\Local\Temp\nsv94A0.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A745A rdtsc
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_00406873 FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_0040290B FindFirstFileW,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeAPI call chain: ExitProcess graph end node
        Source: WerFault.exe, 00000006.00000002.334846387157.00000000028EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh%
        Source: WerFault.exe, 00000006.00000002.334848325179.0000000005DBC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A707C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A5429 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A7D7D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A41D3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A6BD6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_70E71BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A745A rdtsc
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_046A89CA RtlAddVectoredExceptionHandler,
        Source: C:\Users\user\Desktop\SdEkI4IDqd.exeCode function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
        Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Native API
        1
        DLL Side-Loading
        1
        Access Token Manipulation
        1
        Virtualization/Sandbox Evasion
        1
        Input Capture
        31
        Security Software Discovery
        Remote Services1
        Input Capture
        Exfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Process Injection
        1
        Access Token Manipulation
        LSASS Memory1
        Virtualization/Sandbox Evasion
        Remote Desktop Protocol1
        Archive Collected Data
        Exfiltration Over Bluetooth1
        Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)1
        DLL Side-Loading
        1
        Process Injection
        Security Account Manager2
        File and Directory Discovery
        SMB/Windows Admin Shares1
        Clipboard Data
        Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Obfuscated Files or Information
        NTDS3
        System Information Discovery
        Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading
        LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        SdEkI4IDqd.exe6%VirustotalBrowse
        SdEkI4IDqd.exe12%ReversingLabsWin32.Downloader.GuLoader
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\nsv94A0.tmp\System.dll0%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nsv94A0.tmp\System.dll0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\nsv94A0.tmp\System.dll0%ReversingLabs
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        https://dariamob.ro/wed/eee_XScUCMEVL47.bin0%Avira URL Cloudsafe
        No contacted domains info
        NameMaliciousAntivirus DetectionReputation
        https://dariamob.ro/wed/eee_XScUCMEVL47.bintrue
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netAmcache.hve.6.dr, Amcache.hve.LOG1.6.drfalse
          high
          http://nsis.sf.net/NSIS_ErrorErrorSdEkI4IDqd.exefalse
            high
            No contacted IP infos
            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:559536
            Start date:25.01.2022
            Start time:13:28:03
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 21s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:SdEkI4IDqd.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
            Run name:Suspected Instruction Hammering
            Number of analysed new started processes analysed:16
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal68.troj.winEXE@2/9@0/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated
            • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 13.87.187.111, 52.182.143.212
            • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, onedsblobprdcus15.centralus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net
            TimeTypeDescription
            13:30:18API Interceptor1x Sleep call for process: WerFault.exe modified
            No context
            No context
            No context
            No context
            No context
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.9879388734369047
            Encrypted:false
            SSDEEP:192:S8ax5lgjbiQdmBUWoj4mCFDu76cfAIO8Q:yx5lSiQMBUWojoDu76cfAIO8Q
            MD5:328C32ABA5F9DB95346BA9EC827EC269
            SHA1:3DA735AA0F317DE6250BA256F5A3B5A536A12966
            SHA-256:B64C30C72668A2F2FD1A8A363D1E6E25F6E94E9017407A896BC7B7A49F13D43F
            SHA-512:7AAC31B95AFE06C09BF4AC9CECAAC0409A7EA709D0D0F20AC75039D3519B56126CE6184BF10D887EC2B650502F4642B2E08DA231D197C2F796442651CE3ED8F8
            Malicious:true
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.7.5.9.1.0.0.4.8.3.7.5.3.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.7.5.9.1.0.1.0.2.4.2.5.0.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.a.c.9.1.7.3.-.7.c.0.5.-.4.2.3.b.-.a.f.5.8.-.4.9.0.7.5.0.c.1.f.2.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.d.b.7.4.2.8.-.4.3.4.6.-.4.e.e.9.-.8.6.9.c.-.7.0.1.b.7.3.9.3.0.3.d.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.d.E.k.I.4.I.D.q.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.7.0.-.0.0.0.1.-.0.0.1.2.-.6.b.5.c.-.d.d.a.3.e.f.1.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.d.1.7.9.1.c.6.9.8.8.9.5.5.7.b.6.a.3.7.6.c.a.7.3.a.0.7.7.f.b.e.0.0.0.0.0.9.0.4.!.0.0.0.0.a.8.4.7.e.f.8.c.7.2.d.2.6.7.3.1.9.6.3.b.1.8.9.c.a.f.f.9.2.5.a.8.a.7.5.7.d.5.6.3.!.S.d.E.k.I.4.I.D.q.d...e.x.e.....T.a.r.g.e.t.A.p.p.
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Tue Jan 25 13:30:07 2022, 0x1205a4 type
            Category:dropped
            Size (bytes):68692
            Entropy (8bit):2.0028487897099914
            Encrypted:false
            SSDEEP:384:y06SLyxT80l6RFqzAXITdx5fC0S3jxKjUe:kSmxT8B6zPdT7SlcU
            MD5:0360D5EC84616372ED0DB315DB696ECF
            SHA1:EB87E55BEDAFCC6086BD31AAFD23BACE5F48179A
            SHA-256:DBD5FD0917E7AA016E666E3D5F7237B65AD6FC5B2C5928F4B504A85FBACDD3B3
            SHA-512:7E7F6F03397E8F6C18F55115D964DA48AF02A63625066B13704E0444BE48BC3380C67D5DDC90A2CEE5A45309AFCC84433E5F38EE96FE456E661AA4A9A4C5CE3B
            Malicious:false
            Reputation:low
            Preview:MDMP..a..... ......._..a............T...............\...........P=..........T.......8...........T............"..............P...........< ..............................................................................bJ....... ......GenuineIntel...........T.......p...S..a.............................0..................G.M.T. .S.t.a.n.d.a.r.d. .T.i.m.e...................................................G.M.T. .D.a.y.l.i.g.h.t. .T.i.m.e...................................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8356
            Entropy (8bit):3.704063042439789
            Encrypted:false
            SSDEEP:192:R9l7lZNiE2656YQRSUtKgmfNC5prd89babJsf1acUjm:R9lnNi9656Y+SUtKgmfNdabifUn6
            MD5:6243AA156674F15DEA361FC733907BBC
            SHA1:E916270BB5A24D86D6963904958F9030DFB534C3
            SHA-256:3AF54FE1F43A6CBC8F728D4DBF92E4EB0DA0DD1FBF1AD077FA70ABA5FD843101
            SHA-512:C41AA537678B76ECEB8E26E6D6A6DFD3D705CA125580862B619471925E9975B10444812B1453A8D6FA749C29AAB0DCDC4357699FBE3D2DDFF2FBA3C5D9AB4E81
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.2.0.<./.P.i.
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4773
            Entropy (8bit):4.541609106898375
            Encrypted:false
            SSDEEP:48:cvIwwtl8zsie702I7VFJ5WS2Cfjk2s3rm8M4Jhu262kaFuL+q8l2yWUg2gAbazu4:uILfH7GySPfIJIvLLCZg2gAbUYmd
            MD5:CCEFA9031CFADAFFBC735915E21BAF48
            SHA1:E85EC509EEB353790B7EE7BE592111A1B4D106F5
            SHA-256:FE18C806707CF401F7B9B961B46C0AAF82959D4526D1DB8F87119C60C8FEE334
            SHA-512:DF4A8AB71FBF6F862F8A85AEAA9CE315C79CCC1026B60EE6BF9408B98C9F17215CF17C34DDA6EE829A6ADA20DF61512C1C1200D07F505A062D838E7419233B15
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="221457132" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="
            Process:C:\Users\user\Desktop\SdEkI4IDqd.exe
            File Type:DOS executable (COM)
            Category:dropped
            Size (bytes):36366
            Entropy (8bit):7.621225978231947
            Encrypted:false
            SSDEEP:768:RcwJQKlTyjsiu4sY3Hs4bvuSyEXCjYL7XoaFZLkcszAI:a+FlOoiuJYMS2SyEyULTZI
            MD5:448942A62FED29DEF36D74EECFE7D736
            SHA1:4312E7D4BE729BF6200A1F87C1C84391CF0706F3
            SHA-256:87ADB3A77D22DD8C88F4900513775B411512F1964EBAC4DD4354554B4C36A68E
            SHA-512:3DC538388099228A260F1F48F50F713C9A476EE1E23F70F50A6D1758456E6024CA34DC17291A47E65A7F347BAA287DE36EEAB5548768EB3FE94E10DE03E4FFEB
            Malicious:false
            Reputation:low
            Preview:.__.?.u.....u.....u................O4|..J.YH.. elC..\<.....+..0.0R......Z1..4..,.%....9.u.W.........%.}"M.jB .d..+.3...O..Tl.T....=\...,5..M...|...._.I.4.v..K....gI.rs....s...$...dD.P.~...#...N.0.+}D....n......J..t5D.cU).m..<.$...X..]{.C....4K...;<..Z...u....H.^.#.a..B....p@.{d..v.z...-...mS.G.i...*...G.9."jM....g......]C...w..C(.`...C.....Y..{.y.|...h..P..y..`.h.Y.....*......p(...:$.,.%.,>....%.....Ca.YB.....,`..Y.Th>..Kc%.D....."|...%.1..W...("P.x..yz.%.i.....\0..e....E.%.i.C..`..K9......L.,...,.%.t.%...=I..].,...L`...`...*.5.%.MW..T.%.F....%..{..,...h"-'...X"-.q.u.X"-./.H.X"-.......:=kk.'qd.....n.....%.V...5g....$bs).....0..Q..".....1*..J...t=&...$.,..1.e.....U..m.....v...}...-.%yOH>.DiS.!5D..$.2.........x.h..."U......(...*....GyuKZj....,.....$............E....".Y...[.A....,..8.IM.Z.|...$.,....Q...?....&)...j.y~...-.%y..Y.D..7...5a.C..*...D6.("q.-.M.8...*'.,.c-....../...f:.;..[wt1z..=..%........L...N-.K..M...ny.*.d.".......5"H._...~8...
            Process:C:\Users\user\Desktop\SdEkI4IDqd.exe
            File Type:ASCII text, with very long lines, with no line terminators
            Category:dropped
            Size (bytes):16555
            Entropy (8bit):5.9518641421213605
            Encrypted:false
            SSDEEP:384:HpBOk6soHG6Nun3UPBApXPE8eMag91API7ee872UmLZ7:HmkfOG6NNyp/dn19N7U71mLZ
            MD5:695A2030432B3D981B012A42EDCA055A
            SHA1:31283CF8F970E22E7C9B6FCB811B9C1608997211
            SHA-256:F0568B8400FE6F4621B3E62C56B3C3AB9712DD6D30966A348EB3497ACF6B226A
            SHA-512:0095FE21135FCCB9C5723D583C2087FB9D9CD61CB90BB5C96E11EA76469A3744B7F068B7301F7342AF95642D18921763B250FBB9E8F16F5CC9124300E6A97C5C
            Malicious:false
            Reputation:low
            Preview:EMr8t0Hhq715RQjpV8l9LooUdWJgMtMf2pE83U2wsss81G5KJFLeIXMa1T93HGjNEbFfy4IRaWjctEH1I3hWG74wsJYdZXNmLTqTenvgec8qpu98Zp4XlrrAhbuVePBg5nxMeoxIojglOuJAvAZef0Nak7gm0ix8xSE70QeFJMFjJvEAWRFFFtZOYkcHhCgewp7YBE8OekOsOrcexafRG4AdZaWBz3yCE4qMP0NAcxJ4DHeCdzbc6hW8i8otpHEpw0OGDSzOwMl9VCfHuXXhaw0zVcWRcWKg1sABn5d7OrJ2xhlYvPjqrY5w7z8FN0FgE8XtOgiSbRGN0toQLHc2vjrb52VFWESFWMUHsKSZfQ4PbqkilIzeyLOvDdo44fuucajegzqku9brw7f8p9R2zFXqooBphSkPzHY6XmnyhU3WyDWzX4CroF6xRQXhjjk7OqKFaLu4ORq54CnRXdGfPhd7dzPgYFxqUkZaqo2ckBxUeh3QLr4p1ievUUewtab3AdAT2kjQDq4NVPoAQ5jJvQkApXm49qXhPrvrU2YzKVhY5ajHSj55DsIeOSI066y24ayag5YtldIsnpkasB3iqzZiXwJJSOwZVHVJGChfSumllKT835iwi6k9utWFP5wIpTCqM6CflHh1JSg5HTMqV8fq5VseXa9XzYpdeJu9OBtsanwwES7WtQoLDnmScaoIfCjrIqw61PPDM8QEGM14KrtcVF5ERKQSh6jPyKwNObsN9Ts4FbeSzqr0KnDMekc8p8tRrSRckLbRBa58jfVkjWjcQeuGU8J8gr9f2EG5bdrGEds4pfOwG1TGJcUCr6T8jH9Q82m4wdSeL3wJDr5HYJN0ESkrvn77s4vH90F55tPEmd6ZjNInCzW2BOZfhfO10qNfHa7ZhuyiWVIf05P6uzThDVcRpFtIjVTvGctBTjxS6LEiUlof2CsVigpyEGuXekSTdPsflqGf5sMzKcxKlDJc6mtYp7gIqQODeycT
            Process:C:\Users\user\Desktop\SdEkI4IDqd.exe
            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):12288
            Entropy (8bit):5.814115788739565
            Encrypted:false
            SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
            MD5:CFF85C549D536F651D4FB8387F1976F2
            SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
            SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
            SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
            Malicious:false
            Antivirus:
            • Antivirus: Virustotal, Detection: 0%, Browse
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Reputation:moderate, very likely benign file
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):2359296
            Entropy (8bit):4.226748971775044
            Encrypted:false
            SSDEEP:24576:w4tRaNKI09a44INbvWADU5u2JagmcnYJp:w4tRaNKI09a44INLFUg2JagmcnYJp
            MD5:7D10DA26A26789266E5BE48FC46AFF77
            SHA1:ACDA3C1DF960C48C65A9F1E8F452256756CC8704
            SHA-256:39AB8E3D269A8651E75ABF0F11684739271DB540997B6E9639FA91852EB49643
            SHA-512:B4E13007A680C80E822132F04856FD987FD480DC63ECE518F4750A41BE8AE84FCEF8BF0BB2F757DC8F0C186AF9AEAF399B15A503A76CC89B3225EE333E41951C
            Malicious:false
            Preview:regf........5.#.^................... ....P .....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtmj,..................................................................................................................................................................................................................................................................................................................................................PM^_........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):106496
            Entropy (8bit):3.733320100142391
            Encrypted:false
            SSDEEP:1536:NhHn1jHxzlsZ+cThJW3/eS/cgZfPrpSfcetAlRz:TNHRlsZOYifPrpnetAlRz
            MD5:4E0A7A4F2542F277671684D0E7F5EAB4
            SHA1:2617D35378FA55C775DF539D9E95A606C72BAA28
            SHA-256:E7157810C1A4D699BF1EE3893A03BFAB8A0C3C1143F82B04572AF4C5817B28D0
            SHA-512:C0AFC0318FF7A09DB4E3F74711AA99819BC559183007AFB4EE17A1B682F22DB0A29979B881ACB92751DC38555393AC7657CCE3E990F9DE4F46B580FB6CD5578B
            Malicious:false
            Preview:regf........5.#.^................... ....P .....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtmj,..................................................................................................................................................................................................................................................................................................................................................VM^_HvLE.>...........P .....'.!;.hK.lF..2.[..........0.......P...............0.......p.......................0............... ....... ...............................0............... .. ..hbin................5.#.^...........nk,....S...............................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk ...Ht........(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .
            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Entropy (8bit):7.540130212507592
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:SdEkI4IDqd.exe
            File size:97752
            MD5:003a7c37f9c06d75aaaa6f9b25dc3c41
            SHA1:a847ef8c72d26731963b189caff925a8a757d563
            SHA256:4f29b22b6b787babc2f984172f8ae0e3999b7621aeb6775ce023f2ef5db0b2e7
            SHA512:4067ddae5bdf8f620d1cf1673536a8383664fd47a2b6bb0f7932eb005e43fdf0c5269d0f84a9aef6afd215bddbcc1536584216d07179a1bb66bb3f7645b0f1a2
            SSDEEP:1536:K/T2X/jN2vxZz0DTHUpouZZbnneGmqJdg9i6/g7ld317J1H8k29xE+19+coGd:KbG7N2kDTHUpouZZbnnnJdl11T4Pd
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........
            Icon Hash:b2a88c96b2ca6a72
            Entrypoint:0x40352d
            Entrypoint Section:.text
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6
            Signature Valid:false
            Signature Issuer:E=Blosteret@HOVEDPUNKT.fl, CN=Tallowed4, OU=SEKSUALFORBRYDERES, O=Fiorin, L=Nonlyrically, S=CARPOPTOSIS, C=CN
            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
            Error Number:-2146762487
            Not Before, Not After
            • 25/01/2022 09:49:28 25/01/2023 09:49:28
            Subject Chain
            • E=Blosteret@HOVEDPUNKT.fl, CN=Tallowed4, OU=SEKSUALFORBRYDERES, O=Fiorin, L=Nonlyrically, S=CARPOPTOSIS, C=CN
            Version:3
            Thumbprint MD5:80D66677069923CF4D67981C0E1FBA70
            Thumbprint SHA-1:E8B77C74D42CA6EC42A14CF926CC0D402018DB27
            Thumbprint SHA-256:CF9CD9DC0548C1F076D43ECBF2CD2398423AE538B83271032EEBA04757E6E5E1
            Serial:00
            Instruction
            push ebp
            mov ebp, esp
            sub esp, 000003F4h
            push ebx
            push esi
            push edi
            push 00000020h
            pop edi
            xor ebx, ebx
            push 00008001h
            mov dword ptr [ebp-14h], ebx
            mov dword ptr [ebp-04h], 0040A2E0h
            mov dword ptr [ebp-10h], ebx
            call dword ptr [004080CCh]
            mov esi, dword ptr [004080D0h]
            lea eax, dword ptr [ebp-00000140h]
            push eax
            mov dword ptr [ebp-0000012Ch], ebx
            mov dword ptr [ebp-2Ch], ebx
            mov dword ptr [ebp-28h], ebx
            mov dword ptr [ebp-00000140h], 0000011Ch
            call esi
            test eax, eax
            jne 00007F238CD3A3EAh
            lea eax, dword ptr [ebp-00000140h]
            mov dword ptr [ebp-00000140h], 00000114h
            push eax
            call esi
            mov ax, word ptr [ebp-0000012Ch]
            mov ecx, dword ptr [ebp-00000112h]
            sub ax, 00000053h
            add ecx, FFFFFFD0h
            neg ax
            sbb eax, eax
            mov byte ptr [ebp-26h], 00000004h
            not eax
            and eax, ecx
            mov word ptr [ebp-2Ch], ax
            cmp dword ptr [ebp-0000013Ch], 0Ah
            jnc 00007F238CD3A3BAh
            and word ptr [ebp-00000132h], 0000h
            mov eax, dword ptr [ebp-00000134h]
            movzx ecx, byte ptr [ebp-00000138h]
            mov dword ptr [00434FB8h], eax
            xor eax, eax
            mov ah, byte ptr [ebp-0000013Ch]
            movzx eax, ax
            or eax, ecx
            xor ecx, ecx
            mov ch, byte ptr [ebp-2Ch]
            movzx ecx, cx
            shl eax, 10h
            or eax, ecx
            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000xe28.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x169680x1470.data
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x68970x6a00False0.666126179245data6.45839821493IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x80000x14a60x1600False0.439275568182data5.02410928126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa0000x2b0180x600False0.521484375data4.15458210409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .ndata0x360000x160000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0x4c0000xe280x1000False0.378662109375data4.00654037497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            NameRVASizeTypeLanguageCountry
            RT_ICON0x4c2080x2e8dataEnglishUnited States
            RT_DIALOG0x4c4f00x100dataEnglishUnited States
            RT_DIALOG0x4c5f00x11cdataEnglishUnited States
            RT_DIALOG0x4c7100xc4dataEnglishUnited States
            RT_DIALOG0x4c7d80x60dataEnglishUnited States
            RT_GROUP_ICON0x4c8380x14dataEnglishUnited States
            RT_VERSION0x4c8500x294dataEnglishUnited States
            RT_MANIFEST0x4cae80x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States
            DLLImport
            ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
            SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
            USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW
            DescriptionData
            LegalCopyrightLesney Products
            FileVersion1.2.1
            CompanyNameLesney Products
            LegalTrademarksLesney Products
            CommentsLesney Products
            ProductNameLesney Products
            FileDescriptionLesney Products
            Translation0x0409 0x04b0
            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States
            No network behavior found

            Click to jump to process

            Target ID:2
            Start time:13:29:55
            Start date:25/01/2022
            Path:C:\Users\user\Desktop\SdEkI4IDqd.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\SdEkI4IDqd.exe"
            Imagebase:0x400000
            File size:97752 bytes
            MD5 hash:003A7C37F9C06D75AAAA6F9B25DC3C41
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000000.334615569450.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000000.334613473567.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.334851169211.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
            Reputation:low

            Target ID:6
            Start time:13:29:57
            Start date:25/01/2022
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 132
            Imagebase:0x180000
            File size:482640 bytes
            MD5 hash:40A149513D721F096DDF50C04DA2F01F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            No disassembly