Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qjrOWCCE58

Overview

General Information

Sample Name:qjrOWCCE58 (renamed file extension from none to exe)
Analysis ID:620693
MD5:732132623989caae367e0878298b7e9b
SHA1:e493be600aa8ecf7384ac3f23454daf6fdd1821d
SHA256:32f431ba791fcd1f53e53b26447c9dbf59983549f567bac43ea9578b98de4ca8
Tags:32exetrojan
Infos:

Detection

Nymaim
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Nymaim
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
One or more processes crash
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Uses taskkill to terminate processes
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • qjrOWCCE58.exe (PID: 1592 cmdline: "C:\Users\user\Desktop\qjrOWCCE58.exe" MD5: 732132623989CAAE367E0878298B7E9B)
    • WerFault.exe (PID: 4856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 772 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 3152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 796 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 628 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 900 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 908 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 916 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 6492 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • taskkill.exe (PID: 6612 cmdline: taskkill /im "qjrOWCCE58.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
    00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
      00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
        00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
          00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_NymaimYara detected NymaimJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.qjrOWCCE58.exe.400000.11.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
              0.0.qjrOWCCE58.exe.400000.21.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                0.0.qjrOWCCE58.exe.400000.5.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                  0.0.qjrOWCCE58.exe.820e67.2.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                    0.0.qjrOWCCE58.exe.400000.1.raw.unpackJoeSecurity_NymaimYara detected NymaimJoe Security
                      Click to see the 58 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: qjrOWCCE58.exeVirustotal: Detection: 33%Perma Link
                      Source: qjrOWCCE58.exeReversingLabs: Detection: 50%
                      Machine Learning detection for sample
                      Source: qjrOWCCE58.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00403050 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_008232B7 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,
                      Source: qjrOWCCE58.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: Binary string: C:\ciyicu.pdb source: qjrOWCCE58.exe
                      Source: Binary string: *'9C:\ciyicu.pdb source: qjrOWCCE58.exe
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00403D70 Sleep,Sleep,FindFirstFileA,FindNextFileA,Sleep,FindNextFileA,FindClose,Sleep,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_004225FD FindFirstFileExW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00842864 FindFirstFileExW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00823FD7 FindFirstFileA,FindClose,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00401420 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

                      E-Banking Fraud

                      barindex
                      Yara detected Nymaim
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.qjrOWCCE58.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.qjrOWCCE58.exe.820e67.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.qjrOWCCE58.exe.860000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.qjrOWCCE58.exe.860000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.qjrOWCCE58.exe.820e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: qjrOWCCE58.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656
                      Source: qjrOWCCE58.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: qjrOWCCE58.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: qjrOWCCE58.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: qjrOWCCE58.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00407FB0
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00404800
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00402800
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00425020
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_004138A3
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00404120
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0040F240
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00413AD5
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0042936A
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00420B79
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00420458
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00417CE0
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0042948A
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00403D70
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00427509
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00431D94
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00404620
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00404FB0
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00824887
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_008269F6
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00845287
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00828217
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00824A67
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00824387
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00825BAE
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00833B0A
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0082F4A7
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_008495D1
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00833D3C
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_008406BF
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00837EE0
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_008496F1
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00823FD7
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0082671B
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: String function: 0040E1D0 appears 54 times
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: String function: 0082E437 appears 54 times
                      Source: qjrOWCCE58.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
                      Source: qjrOWCCE58.exeVirustotal: Detection: 33%
                      Source: qjrOWCCE58.exeReversingLabs: Detection: 50%
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_004024E0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
                      Source: qjrOWCCE58.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\qjrOWCCE58.exe "C:\Users\user\Desktop\qjrOWCCE58.exe"
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 772
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 796
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 628
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 908
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 916
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1592
                      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "qjrOWCCE58.exe")
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: `a}{
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: MFE.
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: ZK]Z
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: ZK]Z
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: 0|C
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: `a}{
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: MFE.
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: ZK]Z
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCommand line argument: ZK]Z
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE842.tmpJump to behavior
                      Source: classification engineClassification label: mal60.troj.evad.winEXE@12/28@0/0
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00401420 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: qjrOWCCE58.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\ciyicu.pdb source: qjrOWCCE58.exe
                      Source: Binary string: *'9C:\ciyicu.pdb source: qjrOWCCE58.exe
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0042F1A5 push esi; ret
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0040DCAA push ecx; ret
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0042B611 push esp; iretd
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0042C746 pushad ; retf
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0042C72E push eax; retf
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0084113F push esp; retf
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0082DF11 push ecx; ret
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeAPI coverage: 5.3 %
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00403D70 Sleep,Sleep,FindFirstFileA,FindNextFileA,Sleep,FindNextFileA,FindClose,Sleep,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_004225FD FindFirstFileExW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00842864 FindFirstFileExW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00823FD7 FindFirstFileA,FindClose,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00411B5B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0041637F mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0041EBEF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0082092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00820D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_008365E6 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0083EE56 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_004024E0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00402800 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,
                      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00411B5B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0040D3C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0040DDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0040DF79 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0082E04C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0082E1E0 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00831DC2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0082D629 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_0040DFE3 cpuid
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00417043 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,
                      Source: C:\Users\user\Desktop\qjrOWCCE58.exeCode function: 0_2_00405840 GetUserNameA,CreateThread,Sleep,Sleep,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Nymaim
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.21.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.20.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.qjrOWCCE58.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.27.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.24.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.22.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.17.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.20.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.21.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.19.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.28.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.23.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.27.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.qjrOWCCE58.exe.820e67.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.24.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.23.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.26.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.18.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.qjrOWCCE58.exe.860000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.25.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.25.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.qjrOWCCE58.exe.860000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.18.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.19.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.22.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.qjrOWCCE58.exe.820e67.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.17.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.26.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.400000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.qjrOWCCE58.exe.820e67.28.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1
                      Windows Management Instrumentation                      		Path Interception11
                      Process Injection                      		1
                      Disable or Modify Tools                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Command and Scripting Interpreter                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Virtualization/Sandbox Evasion                      		LSASS Memory5
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
                      Process Injection                      		Security Account Manager1
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets1
                      Account Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                      System Owner/User Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync2
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem23
                      System Information Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 620693 Sample: qjrOWCCE58 Startdate: 05/05/2022 Architecture: WINDOWS Score: 60 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Nymaim 2->38 40 Machine Learning detection for sample 2->40 7 qjrOWCCE58.exe 1 2->7         started        process3 process4 9 WerFault.exe 9 7->9         started        12 WerFault.exe 9 7->12         started        14 WerFault.exe 9 7->14         started        16 5 other processes 7->16 file5 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 9->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 12->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->34 dropped 18 taskkill.exe 1 16->18         started        20 conhost.exe 16->20         started        process6

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      qjrOWCCE58.exe34%VirustotalBrowse
                      qjrOWCCE58.exe50%ReversingLabsWin32.Trojan.DanaBot
                      qjrOWCCE58.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:620693
                      Start date and time: 05/05/202205:39:042022-05-05 05:39:04 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 6m 45s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:qjrOWCCE58 (renamed file extension from none to exe)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:43
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal60.troj.evad.winEXE@12/28@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 51.8% (good quality ratio 48.9%)
                      • Quality average: 77.1%
                      • Quality standard deviation: 28.4%
                      HCA Information:
                      • Successful, ratio: 91%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI

                      Warnings

                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 40.127.240.158, 23.205.181.161
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, login.live.com, go.microsoft.com.edgekey.net, sls.update.microsoft.com, settings-prod-neu-1.northeurope.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, atm-settingsfe-prod-geo.trafficmanager.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_0c0c0928\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8772016254471042
                      Encrypted:false
                      SSDEEP:96:jKvwRjshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDIA:zIH56rwjxlk/u7sAS274It5E
                      MD5:0216CA3E9CF45AFE94BDF4E6699D8541
                      SHA1:A51A03BB633277DC82DC3F632BD7E6A50E6E5B22
                      SHA-256:1DE57D9092695FC73A27B70217074D422AC9D791E60F4EA29C8DB4B3D6FA7576
                      SHA-512:5B559DC0F0B1A7331653B5C3DB88C1ECD6A88AB721C79829CD2F57034F4AD1CD120BE7A79D1B91830228BA1FF26E73D982B284C81A495399FF41911BE80A7E12
                      Malicious:true
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.1.8.8.6.5.2.1.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.2.d.f.8.d.0.-.b.3.1.6.-.4.7.9.4.-.8.b.d.0.-.4.2.6.a.e.4.e.1.2.8.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.f.6.4.a.a.1.-.0.8.1.e.-.4.e.e.7.-.9.8.a.5.-.8.f.e.d.6.0.a.8.3.3.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_10d822ca\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8774171114093317
                      Encrypted:false
                      SSDEEP:96:4XwR7shloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDIiX:rAH56rwjxlk/u7sbS274It5E
                      MD5:5908259C5D9F1A295C347370C64591A6
                      SHA1:73888E8FF847D515DE63B6072ADF8300979C7608
                      SHA-256:171CF4E9AC017B0646ED2860297784CB0FFEC643B2086D9B04B7862294C1CA07
                      SHA-512:DE2377A1E4FDF3F7C682709870A15E8226F0D4CA585185BA39B324DCAE7236E42D0C53A33215083EB41806991C0CEA3D01D34346596D882D1F46921E2B6A45ED
                      Malicious:true
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.2.5.6.0.8.6.5.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.8.c.1.7.a.f.-.c.4.8.8.-.4.b.d.5.-.a.0.1.2.-.d.2.8.6.d.3.f.8.3.0.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.9.5.2.3.d.8.-.c.5.a.2.-.4.6.9.5.-.a.6.c.8.-.e.e.a.d.d.6.b.2.8.0.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_1167fbca\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8635490173780485
                      Encrypted:false
                      SSDEEP:96:mYnV7wR/shloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBz:TykH56rwjxG/u7sAS274It5E
                      MD5:BB701F9255E239DB0F27AEBC3EE53D43
                      SHA1:C0013B523C5EAB7AE8A96E6167EBDA6A44FAC869
                      SHA-256:A71EDC6B9168FD01EE055970FAE22F5592FF32CE62CC36F6BC42E64939DAFF90
                      SHA-512:D8E9EDDEB2A917853F53D06DD7D1BA29F265000F4883DE1AF51086418C73A88AFF516B118D2CAA9B859C99E8B2DC0A17311AF099A08FB830EF8A5CBAA46DC26A
                      Malicious:true
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.1.5.6.9.4.2.2.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.2.c.4.7.3.d.-.5.f.8.b.-.4.3.2.7.-.9.d.d.8.-.5.4.9.1.f.4.b.e.f.d.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.d.3.3.3.f.2.-.3.a.c.e.-.4.9.0.6.-.b.3.8.5.-.7.e.c.9.e.2.b.9.2.d.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_12a3eeab\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8570740057313196
                      Encrypted:false
                      SSDEEP:96:iY+wRCshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDIM:BxH56rwjxy/u7sAS274It5E
                      MD5:94FA62DE2DE6A2AF49D88BF565602D1B
                      SHA1:A3DDD7742A08DEE39F5064A1EC80DB5DDCAAA07F
                      SHA-256:6832FFEDEF3322E192569B7E264B8A4D8D4C1E01BA704C5D025835A1F75CBADB
                      SHA-512:07ADC777F99603B2879772BED904624DF471BD48B7DB475D4EA8B921CAF3330FF6797FCFEDAE4A786EC2218F1D9EDAF3C5649373863BD3815B86D8C48465AE82
                      Malicious:true
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.1.1.8.8.7.2.3.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.a.1.3.2.3.6.-.b.d.1.1.-.4.9.5.3.-.b.1.c.7.-.2.1.2.8.8.1.c.9.e.9.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.b.1.a.3.b.c.-.2.0.9.3.-.4.c.c.7.-.9.a.6.c.-.7.c.4.c.a.1.6.f.a.5.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_12a4344f\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8772900520367355
                      Encrypted:false
                      SSDEEP:96:+4wRDshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDIi8:4oH56rwjxlk/u7sbS274It5E
                      MD5:B1CF46361A43EE1319E9A672595A659C
                      SHA1:DB305FB5E990C87607DC31B117F2E406F76C4673
                      SHA-256:9C4773A62BFDA7D66E522233163F2D69CFC213A2E20D2B5F1D82DC02C9D312C9
                      SHA-512:71941E6ED1E5C5AD2BE6A887E79F0BE73259813C3F7949F1DF57EB3E519582B0989D7DC26613576D2C68B971F7AF6C2BB2775C4A5DA0D370BD2D8D7B69DBE09B
                      Malicious:true
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.2.9.4.1.8.9.7.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.d.6.7.f.b.7.-.2.d.2.3.-.4.f.a.5.-.9.6.b.c.-.9.4.c.7.2.f.d.2.5.f.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.0.5.a.a.4.a.-.4.9.9.a.-.4.9.6.2.-.a.f.5.f.-.a.6.1.0.e.c.6.a.1.f.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_181043fe\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8774641034858449
                      Encrypted:false
                      SSDEEP:96:L9DCwRnshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDG:Z7sH56rwjxlk/u7sbS274It5E
                      MD5:76B53D6054B18CA6052DD3B136605B63
                      SHA1:50E9777517AF88BA0F6CD0242CB97CC615BF37CD
                      SHA-256:9DA5119CD79312E876922C812BCD73D739A71F4FAC43525D30DE77BF67088F5B
                      SHA-512:65650A0FDFAF8D1F973D40173E46A348188FF04ED2C2F4DCBCA0A63A6D3053D7E7D0BAA9DB249005FE74D9B84A1FA57F8CAE5B9CAF7BA5782535A6034294A479
                      Malicious:true
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.3.4.0.2.4.7.9.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.2.a.a.d.6.2.-.3.a.9.8.-.4.3.1.f.-.b.f.d.6.-.2.4.9.d.9.0.8.c.5.d.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.6.0.a.1.7.3.-.5.c.f.a.-.4.b.f.2.-.b.8.b.f.-.1.4.9.7.b.b.5.f.c.a.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_19545302\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.8776413401735936
                      Encrypted:false
                      SSDEEP:96:egMUrOegwRbshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72Oy2:QIZpgH56rwjxlk/u7sbS274It5E
                      MD5:070C32C8479C605B623585A13C8B68EB
                      SHA1:2B1F34717D17B838EB638F65BB19CA7F4F1A0E8D
                      SHA-256:5C7C7CA72B14717D2AD99C49BC29ACC0DD383A782DC08A6F5643EFF780AD601F
                      SHA-512:1A0A5F10D4945C5FC95089AFF292AD18E7B5E6DE3082E73835C6BA7945006E03542AD3476E632568A29066FC0A34F0DDFA451532EC137591EAAA74984306FCFB
                      Malicious:true
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.3.7.4.6.9.4.2.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.2.a.e.9.5.7.-.4.c.5.a.-.4.b.f.0.-.8.3.c.c.-.4.0.c.3.2.4.1.9.7.2.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.e.3.5.2.a.b.-.5.5.c.c.-.4.b.6.b.-.9.e.3.f.-.5.9.9.2.5.7.3.9.3.e.8.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DD9.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu May 5 12:40:26 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):82940
                      Entropy (8bit):2.419360403248699
                      Encrypted:false
                      SSDEEP:384:s6mU6ecPUYTpHgqPpi/bqERBqlpdBSThAIWDnHjzv4/CjkpyPWeWEj7JY5mD:b6ecF/WMqTh8HjzvCCfWqYA
                      MD5:4E0FCF66325093518C5754B8F6243493
                      SHA1:5D7E739936EC0E70B40DA34D2A01642A71F4CEF1
                      SHA-256:AFD5DFBD711816B9342DFF86C7348BF59C63B68E859619FD47B1E4E87FD7EFD9
                      SHA-512:E39E1CD548ABA5B7A0223DDF659CB6271FB56DF3368C514DBC43F757052E3085E53B403E22CC06F0D92A4480D7068096F23C9099014619D2A2DD6A9B7F06307D
                      Malicious:false
                      Preview:MDMP....... .........sb............T...............\.......$....6..........T.......8...........T............ ...#..........@...........,....................................................................U...........B..............GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER20D7.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8412
                      Entropy (8bit):3.704836972955608
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiXc6IxS5W6YWb/SUzgN0gmfwS3CpBst89brAsfv5m:RrlsNis6IxUW6YySUzY0gmfwS5KrTfM
                      MD5:7085203A35DC3F534F0CFF1B5DF0FCA3
                      SHA1:D042062D778DB9348191AD2DCEC1F29641742F63
                      SHA-256:5993C8A99127D2A29A30451E9AAAD4706E24B7FD0BE3B54083CDE98F5437F901
                      SHA-512:EE2DCAC8978A2257CD2AD7325961D719B09C8D5B64F3D23F86F3D380E5AA5B51F8BF35BDF604B9EF9FEC88DF08008FBAE9E8F9490094B180FE56C6D0CDB69A84
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER21C3.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4704
                      Entropy (8bit):4.48799041622298
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zsGJgtWI9HyyWgc8sqYjk8fm8M4JyHMFv+q8vyHo/S4Jd:uITfcAyTgrsqYdJgmKgoa4Jd
                      MD5:34269584E7C2B1D28C88F6732EDBB4CB
                      SHA1:103DEA433C10D1980550EEB729B0126022AD63C9
                      SHA-256:EE80EFE834063051A84E112675EE65874C298CA024D0706F1E1B15947246E2FE
                      SHA-512:1267EE7F557D114CAC216CAC44EA30D4A12F0B53F6DF80EB36920D3210A30B912227C20933622B21247A5E84CF5BB3B906C05CF3A0DEDC04294EDAF92F401CA9
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CBD.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu May 5 12:40:29 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):95754
                      Entropy (8bit):2.1014195071277935
                      Encrypted:false
                      SSDEEP:384:EdwxNWLO61K1Uev9NLbqTQKtRBqcHty8B/kP/jFvv5C470lZ/ajkpyPWeWkzvmhg:Ede61IBlcPp//kP7Fvv444ldafWvhz1m
                      MD5:8652497299CC88D253E189BDA49347C7
                      SHA1:50815BC9188FD0C247F2AF445B230E652D0292E4
                      SHA-256:1FFA07D955164F3774F359A1AB6C0C20FC390AD1B572E70C5D99ED24A6BAA2A5
                      SHA-512:DDDE030B173694723F9AA89A37FFA3BE1F8D5FE486A4C944727894E938452C5CA7944D2898458C0B3FDCC90FCA192A2B8E2C0ADE7430D814C56E8617710D5983
                      Malicious:false
                      Preview:MDMP....... .........sb....................................$....?..........T.......8...........T........... "...S...........................................................................................U...........B......T.......GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER30D5.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8414
                      Entropy (8bit):3.703610859341354
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiX+6Ieb6YWzSUOmBgmfwS3CpBD89bsAsfSkm:RrlsNiO6Ieb6YCSUOmBgmfwSZsTfg
                      MD5:3A2AA5F63253BA9EBEA737429B82DAA0
                      SHA1:7A85E6BA966635D49F62A5A64ECA1B7165129762
                      SHA-256:ED50048D4D995BC2D3333C64C7BAF1FBBF40C8CD531A58638002EF9257138D1D
                      SHA-512:01BBD7F42C3BE9C95BCD013DD21E1DFEE38E33EB200F2B77C3AE0A1D7C3D6F30CA9DF5DEBFB5631834E7BF32E8EB60D6AD6300EDC2815F7B31B418405EAABC07
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER329B.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4704
                      Entropy (8bit):4.486722835348809
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zsGJgtWI9HyyWgc8sqYjps8fm8M4JyHMF/+q8vyHo/S4Jd:uITfcAyTgrsqYtRJgGKgoa4Jd
                      MD5:8D18C1B5C512A092175BDA8130A6F991
                      SHA1:C6C36B275556769E12E2545FBFB3108FA89F9BDB
                      SHA-256:0A108533A20E56651B9A4421D6227A6056EB9DED3EEE65D79BB6249F1729BC16
                      SHA-512:1D3F8E48E6056D162541430BE7803158BB4F007A8D0FBDA18EEDBEBAFDF9A89F02B6A9ECA67B6237A4DCECCD1A3429AFC7DA3792AFB1A7FFB64FC19F3C593717
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER38A.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu May 5 12:40:19 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):83752
                      Entropy (8bit):2.4289512577684818
                      Encrypted:false
                      SSDEEP:384:SD6m46sxkWR7PqlpSYqbqTgRBq5pdBSThAIWDnHjzv4/CRkpyPWeWEzCj9uEO:SI6s37yB4c1qTh8HjzvCCJWbu
                      MD5:016703E04EDCE822899541773C68F07B
                      SHA1:2BB25B21E0A9A1CFEB1B4B695C07DAF9EC11BCE5
                      SHA-256:CFAA27327896C69E2FAEC1768617FBF221BA6D40FB01B9FA0CE13DFCE7F845A6
                      SHA-512:4701F583CB2517B8953ACAB1BEA1EFEE6FE2FD7C5DB1DDA115B70165FFFC9E3B9EF0969FAA32251A0F6906A6D20819DC2144323F21756A7861EB25309FCAFF30
                      Malicious:false
                      Preview:MDMP....... .........sb............T...............\.......$....6..........T.......8...........T............ ..H&..........@...........,....................................................................U...........B..............GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EED.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu May 5 12:40:34 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):95234
                      Entropy (8bit):2.1152729640763837
                      Encrypted:false
                      SSDEEP:384:OLwxNW46I/ft3z44vgILbqTJNs8PIKyRBqAHsCP/jFvv5C470lZ/ajkpyPDeWk78:OLM6I93eOcg4iP7Fvv444ldafDW3C+S
                      MD5:7E4F2ED8F56A715AD723B10F5090863D
                      SHA1:46A87441A2DFDAF161D075598414E95EEE899791
                      SHA-256:C72440E77E5B3EBB2BEF85BE9F3EEEE2FB3111E83BA24CEFED3C6048C3EA7BEC
                      SHA-512:9E0BE163B7C7566AB082776956C5968A56605D537C2FF09FB9A6F28CE2F160F756652D095F70F01450CC7C05E4EF5ACC5C251C6A33F5E1A99A141FF06DD9214E
                      Malicious:false
                      Preview:MDMP....... .........sb....................................D....?..........T.......8...........T........... "...Q...........................................................................................U...........B......T.......GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER41DC.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8412
                      Entropy (8bit):3.7025697219105487
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiX+6Ie7ub6YWzSUZNgmfwS3CpBS89bIAsfNYm:RrlsNiO6Ie7ub6YCSUZNgmfwSmITfX
                      MD5:351702278BFB4F913C64D7B32254E491
                      SHA1:0899A811DEA171CE7E3F5EBE7E46D49196D5EED1
                      SHA-256:D9CC60346ED834A1E8AA5F76E4A35F1CED6777D1D198B084EBD052CA814779E6
                      SHA-512:B562AF57DF19E7CFD43954358861A51812F96D3CAEA23434198BA42A7E21B280D0782B3504029985244B54D63839D24A5B50C0E985F3ADF02ECB69C5BBE24782
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4306.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4704
                      Entropy (8bit):4.490571287892598
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zsGJgtWI9HyyWgc8sqYjz8fm8M4JyHMF+z+q8vyHo/S4Jd:uITfcAyTgrsqY0JgxzKgoa4Jd
                      MD5:B1309460E6A3530F0CD91114E1BEE2EB
                      SHA1:344C5167F32E869AA43805F5F9EB44475787EEA4
                      SHA-256:B6ABBCA54DF7EC1DBF6E8179D778719D6F13D4D1D34E85CBAC9BE053215E25AF
                      SHA-512:11532CA3CA48244009ABC4D2A8EC502C01DA47E075BF7D4A7173DE22699B86CB321BB3A04CDBE6CD2B2D7C14CDC78A802FCE7BD509A64F180304D5AABE3355DC
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C2C.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu May 5 12:40:38 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):95266
                      Entropy (8bit):2.1510015050081264
                      Encrypted:false
                      SSDEEP:768:+A3n6XSLfzolcJP7Fvv444ldafW4YUs8:/bboIPpvvaldafW4YUs8
                      MD5:1E7B0A782E7E255A743111106FDA01F4
                      SHA1:6E503317B9AB2A60DFB2E687FF18DAF139CE53CC
                      SHA-256:C479C1B148A74FC7C8761127F3A73A0E67CA072FB604B12A7072B360440344F5
                      SHA-512:5293826821F8880AE5EB98DDA8DC236DB88916586F925A7494FE39812222CD521E2843156D2F78063FCFC7405630796A7494C6D4E89CBB367312B7E0A360A197
                      Malicious:false
                      Preview:MDMP....... .........sb....................................D....?..........T.......8...........T............"...Q...........................................................................................U...........B......T.......GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5015.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8414
                      Entropy (8bit):3.703074171870118
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiXi6IeT+6YWrSUCmwgmfwS3CpBE89b0Asf3D8m:RrlsNiy6Ieq6YKSUCmwgmfwSM0Tf3d
                      MD5:E5E79DB734B573FC3D62A2FAB266D0D1
                      SHA1:31CD7AE4F6A2D6F15CB35983C8AD85ABA35C71A3
                      SHA-256:CB8C4E7222E59391ED027F7640B5EF16EC3B7A6F65D9D90E3DA666A1C9F3D855
                      SHA-512:626F022F6712ADE4A93846A76949C3F49DD47D67E83630E78FB2F44EE495D5C97C539927C9DA928FC96AE646835FDC032AF5D874841D9C732FE63610DB17B80D
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER51AC.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4704
                      Entropy (8bit):4.491275091994293
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zsGJgtWI9HyyWgc8sqYj2O/8fm8M4JyHMFV+q8vyHo/S4Jd:uITfcAyTgrsqYyrJgAKgoa4Jd
                      MD5:22A9BC37AA68983F17219F8759BE6329
                      SHA1:CA6670108782C1C595F25485BBE2FC85B004B990
                      SHA-256:F2A900B3E240C515018C0F4107BF7C716AE4D7A8FF2EBDD7B66F6366DB383597
                      SHA-512:19734112F4D25A5070ECFC1F0F6C3C8EFB60AC99E38602C5F63B3048B10609997BDAD1C776DBFB06F829E2F491DA7286F9A8E4EF5AE288950F63A1B4366D0B2B
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER63B.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8414
                      Entropy (8bit):3.7024272119958797
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiXd6IxLHv6YWwSUWmggmfwS3CpB889bfAsf0sVm:RrlsNit6IxTv6YhSUWmggmfwS0fTf2
                      MD5:5499AA13B33AAC94867AB8E7FE331230
                      SHA1:EA921C47B6FD21F988AB0B3EB2B6C19B5C3979E3
                      SHA-256:2A5BB51D3D4DA337239661BB858E5ED8188BC2E2A9F22FEAA12C21D7AC7F1A0B
                      SHA-512:1CEB67E0CD7684E3FBF5B9639C4F28448A803273DD331C7DF59B771C67A06AE2E91525DCC6A0FF755C046CB9A252A9181D243B53004C333E2BFD613FAF291CE0
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER774.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4704
                      Entropy (8bit):4.486743778621484
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zs3NJgtWI9HyyWgc8sqYjRS8fm8M4JyHMFK+q8vyHo/S4Jd:uITf3nAyTgrsqYBJgjKgoa4Jd
                      MD5:FA506C2DCBE1904491B680DF01070820
                      SHA1:728BE6F69194C7D0B87D04FBEA761D2A47F80622
                      SHA-256:F84997D5C5577D189AF9D725F815128F6FC9B4F2370A831DDAB26FC1BF068442
                      SHA-512:F20EA9B1E7372879D56C903AEC9B9CD6C662C9E1232E6EE4F741FAB525CC32B36D83C11A034514774CA282004888AB24C74F6CD02FEAA296EF6BD47692679B2C
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501790" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE842.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu May 5 12:40:12 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):56884
                      Entropy (8bit):2.415860924030049
                      Encrypted:false
                      SSDEEP:192:fPKgcsg6XO6/kemPrvqTYduUPrJ0RKOmDPvCgFo5cM8V/CdNA99XoABNn/TnWAPH:Ks5+647qTaR69yPreWM8V/CduYAP3
                      MD5:084523D0081F9FCB92BDB2BE918C02B4
                      SHA1:D452A6850378959506A7E9DE9B32DB4B0301B014
                      SHA-256:DE5096BBEC9A850DB1AB1CC02E1D4A705BC16374233272BD1C0D1876DDE39504
                      SHA-512:AA31ACE0BAA48F7999C45EB9405E2CE84AA47245F0A732E12D985461B1CC8A4C74175DE90AD7D7455C074E0CFAF0AF8CC468D05965EAB3AA29DE2E0406FA44FC
                      Malicious:false
                      Preview:MDMP....... .........sb....................................t...8,..........T.......8...........T...........p...............l...........X....................................................................U...........B..............GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC5A.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8396
                      Entropy (8bit):3.7035592860710342
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiXi67Tn6YW3SU8q8EGgmfwS3CpB189blAsffXm:RrlsNiS6f6YWSU8qWgmfwS/lTfe
                      MD5:042D67A49C3B904D8EC80BFBCA455927
                      SHA1:94D0F9197194061DD0A56F87CE23A447E22D7E3D
                      SHA-256:1903C1E93B0B51E4B2E180D790BA2B0A257615046793D41072001E52BDD3356F
                      SHA-512:E36325D464D6DB3C45DD759BAA5B58E39ED866F18F87A864C2D1A8FB5F34EBEAAB4822EA8A187B9A457C95B3B024DF373B70303BFE96510A1D40F0ACF0DE889F
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERED84.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4704
                      Entropy (8bit):4.48831411399447
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zs3NJgtWI9HyyWgc8sqYjD8fm8M4JyHMF7+q8vyHo/S4Jd:uITf3nAyTgrsqYcJgyKgoa4Jd
                      MD5:2013DBBC396E4181584618890D6303E5
                      SHA1:6242779877B071CB5671ECDF90B6001A8CB50024
                      SHA-256:51B5503DCB1AC878B6F684FEA0592C9A3207167DC33A3562471D3879C1963139
                      SHA-512:8CACB344D009BA19CC292A7D72652EB64671AFD2EB2E12EF3CC46F56567212005EF24FB8DAF1C721260CB1B1B89A32270C8A3FEDF220ADC9ACDB72EB4468753F
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501790" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF726.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu May 5 12:40:16 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):66184
                      Entropy (8bit):2.4170302037551803
                      Encrypted:false
                      SSDEEP:384:nhA6LAuRhVz7qTWRHmAT6cgoypOWkHfZwHyPreWoGbNc6oq:W6LzRTcCOJpTkHf/rTcX
                      MD5:03152090D258B31B0A5841B5F8DE9894
                      SHA1:6148F0F788B953E99BE2ED87F5F576780540AFC8
                      SHA-256:D314B293B63F3317BC57C229001786D52B211C4713718A2D07AB61870430B532
                      SHA-512:9F01EE60A270631BE9C611833FE93371AA5889928EB4729E53291C125E1E68CA380C9E1948D190A4709A3BCC1E629D667C293C3B0CCAB337EDAEF7BE41F88E6E
                      Malicious:false
                      Preview:MDMP....... .........sb....................................T..../..........T.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9A8.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8408
                      Entropy (8bit):3.7054266064062933
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiX56l6YWISUcmqgmfwS3CpBK89b4AsfAIm:RrlsNip6l6YpSUcmqgmfwSe4TfW
                      MD5:A035334EC161C6D7F5680C9A8DA9E44E
                      SHA1:C1FBBCDBFA56F9C9793687E7E9E4E07D04CBE7B5
                      SHA-256:A52129FD48EA1899AEA1136E9EA74D7CF6DCE8799488892BE8E16B99DF137145
                      SHA-512:399CA2D36E67F88EB86BBFC135C5D12FD5646E9BD54B08F9A96EDFB51F93CAF39002D6338B8BC69152071087A73E79B265ABB0A63C5B8C6D65553F3E3C33B0EA
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAD2.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4704
                      Entropy (8bit):4.488609169147605
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zs3NJgtWI9HyyWgc8sqYjeBb8fm8M4JyHMFHD+q8vyHo/S4Jd:uITf3nAyTgrsqYSBYJgsDKgoa4Jd
                      MD5:4AF206325FCB38DF334DC89D2E124161
                      SHA1:56A544ABC7059C20AFAE962EE400AF6BA82681F3
                      SHA-256:9AFB525540C42E4FD140FF4833FA4CCCCEAC223F91909863883732E00CE334B1
                      SHA-512:1742F305A72484C29C15B6C5755A31C1D41D789A7C9D2C46B205646B8C08E9A9376592B2D58E8D0D4B2C88154A3440A6297EFE9AEAFB8996D8DD23FC8AA3C972
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501790" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.13596800103892
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.83%
                      • Windows Screen Saver (13104/52) 0.13%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:qjrOWCCE58.exe
                      File size:382976
                      MD5:732132623989caae367e0878298b7e9b
                      SHA1:e493be600aa8ecf7384ac3f23454daf6fdd1821d
                      SHA256:32f431ba791fcd1f53e53b26447c9dbf59983549f567bac43ea9578b98de4ca8
                      SHA512:6b98ae444381d8782ea5177694f5a5377e22f360d42bd579463f9da5c9b82cef77aa4bef489d23ca5cb6cc503e906f8231e9a79650cb79ebb5b226fd8c5c95ae
                      SSDEEP:6144:SOHGuNkVVlgz8djnAv3GsrCynHcyMHwLQ9zsF2RcS3+Xyiv+Y6itQ7VsS:SihyV368djA+spnHcyMQwSS3+B+QGVs
                      TLSH:DB84BE10BB90C034F5B761F48A76C3A8793EBDA19B2455CB62D43AEE66346E0EC31357
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n...n...n...<8..n...<...n.......n...n..En...<)..n...<9..n...<<..n..Rich.n..................PE..L.....p`...................

                      File Icon

                      Icon Hash:c6e8e8e8e8f0e461

                      Static PE Info

                      General

                      Entrypoint:0x40c1b0
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                      Time Stamp:0x6070DBE8 [Fri Apr 9 22:57:44 2021 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:0
                      File Version Major:5
                      File Version Minor:0
                      Subsystem Version Major:5
                      Subsystem Version Minor:0
                      Import Hash:6155d4d1fe9d4982682a0787c78cb5b8

                      Entrypoint Preview

                      Instruction
                      mov edi, edi
                      push ebp
                      mov ebp, esp
                      call 00007F2F58C86E2Bh
                      call 00007F2F58C79B06h
                      pop ebp
                      ret
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      int3
                      mov edi, edi
                      push ebp
                      mov ebp, esp
                      push FFFFFFFEh
                      push 0042A518h
                      push 0040FE10h
                      mov eax, dword ptr fs:[00000000h]
                      push eax
                      add esp, FFFFFF94h
                      push ebx
                      push esi
                      push edi
                      mov eax, dword ptr [004515A4h]
                      xor dword ptr [ebp-08h], eax
                      xor eax, ebp
                      push eax
                      lea eax, dword ptr [ebp-10h]
                      mov dword ptr fs:[00000000h], eax
                      mov dword ptr [ebp-18h], esp
                      mov dword ptr [ebp-70h], 00000000h
                      mov dword ptr [ebp-04h], 00000000h
                      lea eax, dword ptr [ebp-60h]
                      push eax
                      call dword ptr [004010ACh]
                      mov dword ptr [ebp-04h], FFFFFFFEh
                      jmp 00007F2F58C79B18h
                      mov eax, 00000001h
                      ret
                      mov esp, dword ptr [ebp-18h]
                      mov dword ptr [ebp-78h], 000000FFh
                      mov dword ptr [ebp-04h], FFFFFFFEh
                      mov eax, dword ptr [ebp-78h]
                      jmp 00007F2F58C79C47h
                      mov dword ptr [ebp-04h], FFFFFFFEh
                      call 00007F2F58C79C84h
                      mov dword ptr [ebp-6Ch], eax
                      push 00000001h
                      call 00007F2F58C87ECAh
                      add esp, 04h
                      test eax, eax
                      jne 00007F2F58C79AFCh
                      push 0000001Ch
                      call 00007F2F58C79C3Ch
                      add esp, 04h
                      call 00007F2F58C7FA44h
                      test eax, eax
                      jne 00007F2F58C79AFCh
                      push 00000010h

                      Rich Headers

                      Programming Language:
                      • [ C ] VS2008 build 21022
                      • [IMP] VS2005 build 50727
                      • [ASM] VS2008 build 21022
                      • [LNK] VS2008 build 21022
                      • [RES] VS2008 build 21022
                      • [C++] VS2008 build 21022

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2ac0c0x3c.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000xbf20.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x13100x1c.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x8ab80x18.text
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x8a700x40.text
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x2c4.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x2acb60x2ae00False0.42072476312data6.17133186898IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .data0x2c0000x654280x26600False0.96707680171data7.92962544889IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .rsrc0x920000xbf200xc000False0.537943522135data5.62006436442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      AFX_DIALOG_LAYOUT0x9c0180x2dataUzbekItaly
                      AFX_DIALOG_LAYOUT0x9c0100x2dataUzbekItaly
                      MIMELA0x9bc800x2faASCII text, with very long lines, with no line terminatorsUzbekItaly
                      RT_CURSOR0x9c0200x130dataUzbekItaly
                      RT_CURSOR0x9c1680x130dataUzbekItaly
                      RT_CURSOR0x9c2980xf0dataUzbekItaly
                      RT_CURSOR0x9c3880x10a8dBase III DBT, version number 0, next free block index 40UzbekItaly
                      RT_ICON0x927200x6c8dataUzbekItaly
                      RT_ICON0x92de80x568GLS_BINARY_LSB_FIRSTUzbekItaly
                      RT_ICON0x933500x10a8dataUzbekItaly
                      RT_ICON0x943f80x988dBase III DBT, version number 0, next free block index 40UzbekItaly
                      RT_ICON0x94d800x468GLS_BINARY_LSB_FIRSTUzbekItaly
                      RT_ICON0x952380x8a8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"UzbekItaly
                      RT_ICON0x95ae00x6c8dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"UzbekItaly
                      RT_ICON0x961a80x568GLS_BINARY_LSB_FIRSTUzbekItaly
                      RT_ICON0x967100x10a8dataUzbekItaly
                      RT_ICON0x977b80x988dataUzbekItaly
                      RT_ICON0x981400x468GLS_BINARY_LSB_FIRSTUzbekItaly
                      RT_ICON0x986080x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4292543265, next used block 4292805161UzbekItaly
                      RT_ICON0x9abb00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4292739362, next used block 4293001766UzbekItaly
                      RT_STRING0x9d5a00x16edataUzbekItaly
                      RT_STRING0x9d7100x4b8dataUzbekItaly
                      RT_STRING0x9dbc80x23cdataUzbekItaly
                      RT_STRING0x9de080x114dataUzbekItaly
                      RT_ACCELERATOR0x9bfb80x58dataUzbekItaly
                      RT_ACCELERATOR0x9bf800x38dataUzbekItaly
                      RT_GROUP_CURSOR0x9c1500x14dataUzbekItaly
                      RT_GROUP_CURSOR0x9d4300x30dataUzbekItaly
                      RT_GROUP_ICON0x9bc580x22dataUzbekItaly
                      RT_GROUP_ICON0x985a80x5adataUzbekItaly
                      RT_GROUP_ICON0x951e80x4cdataUzbekItaly
                      RT_VERSION0x9d4600x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79UzbekItaly

                      Imports

                      DLLImport
                      KERNEL32.dllGetNamedPipeHandleStateW, CreateIoCompletionPort, FillConsoleOutputCharacterW, SetThreadAffinityMask, TerminateProcess, GetCurrentProcessId, GetVersionExA, EnumDateFormatsExW, FindNextFileW, CopyFileExA, BuildCommDCBAndTimeoutsW, DebugSetProcessKillOnExit, WriteProfileStringW, WritePrivateProfileStructA, FindFirstChangeNotificationA, MapViewOfFileEx, CreateTimerQueue, FindNextVolumeMountPointA, SetVolumeMountPointW, GetWriteWatch, ReadConsoleInputA, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, GetSystemDirectoryA, GetDriveTypeW, BuildCommDCBAndTimeoutsA, LoadLibraryA, GlobalAlloc, VerifyVersionInfoW, GetBinaryTypeA, InterlockedExchange, InterlockedDecrement, FormatMessageW, SetDllDirectoryA, GetNamedPipeHandleStateA, WritePrivateProfileStringA, GetConsoleAliasesLengthW, GetProcessHeap, OpenWaitableTimerW, UnlockFile, InterlockedIncrement, GetStartupInfoW, GetSystemWow64DirectoryW, SetLastError, GetConsoleAliasExesW, ContinueDebugEvent, EndUpdateResourceA, GetLastError, FlushConsoleInputBuffer, SetDefaultCommConfigW, VirtualFree, GlobalUnfix, GetSystemWindowsDirectoryA, CopyFileA, TerminateThread, GetOEMCP, EnterCriticalSection, HeapUnlock, GetMailslotInfo, CreateActCtxA, GetConsoleAliasW, _lwrite, CreateNamedPipeA, SetSystemTimeAdjustment, DefineDosDeviceW, GetAtomNameA, SetConsoleScreenBufferSize, EnumResourceTypesA, lstrlenA, LoadLibraryW, MoveFileW, WriteConsoleA, VirtualProtect, GetModuleHandleW, ReadConsoleOutputW, GetThreadContext, BuildCommDCBW, AddRefActCtx, WritePrivateProfileStringW, GetFileAttributesW, CopyFileW, GetVolumePathNameW, GetCommMask, CloseHandle, EnumDateFormatsExA, FindActCtxSectionStringA, GetNamedPipeInfo, AttachConsole, GlobalGetAtomNameW, SetComputerNameA, GetConsoleAliasesW, WriteConsoleInputW, CreateMailslotW, SetLocalTime, EnumSystemLocalesA, CallNamedPipeA, GetConsoleAliasExesLengthW, FindActCtxSectionStringW, GetPrivateProfileIntW, GetModuleHandleExW, GetStringTypeA, GetTickCount, OpenWaitableTimerA, GlobalWire, GetCompressedFileSizeW, SetThreadPriority, MapUserPhysicalPages, WriteConsoleOutputCharacterA, EnumDateFormatsA, TerminateJobObject, CreateFileW, GetDateFormatA, FindAtomA, FindNextVolumeA, Sleep, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwind, WideCharToMultiByte, HeapValidate, IsBadReadPtr, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameW, GetCurrentProcess, IsDebuggerPresent, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, GetACP, GetCPInfo, IsValidCodePage, SetStdHandle, GetFileType, WriteFile, GetConsoleCP, GetConsoleMode, SetHandleCount, GetStdHandle, GetStartupInfoA, QueryPerformanceCounter, GetSystemTimeAsFileTime, ExitProcess, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapDestroy, HeapCreate, HeapFree, GetModuleFileNameA, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, FlushFileBuffers, DebugBreak, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, GetStringTypeW, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetConsoleOutputCP, SetFilePointer, CreateFileA, ReadFile
                      ADVAPI32.dllImpersonateSelf

                      Version Infos

                      DescriptionData
                      Translations0x0208 0x02be

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      UzbekItaly

                      Network Behavior

                      No network behavior found

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:05:40:06
                      Start date:05/05/2022
                      Path:C:\Users\user\Desktop\qjrOWCCE58.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\qjrOWCCE58.exe"
                      Imagebase:0x400000
                      File size:382976 bytes
                      MD5 hash:732132623989CAAE367E0878298B7E9B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low

                      General

                      Target ID:2
                      Start time:05:40:10
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656
                      Imagebase:0x60000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:4
                      Start time:05:40:15
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 772
                      Imagebase:0x60000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:8
                      Start time:05:40:18
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 796
                      Imagebase:0x60000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:11
                      Start time:05:40:25
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 628
                      Imagebase:0x60000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:15
                      Start time:05:40:28
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 900
                      Imagebase:0x60000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:22
                      Start time:05:40:33
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 908
                      Imagebase:0x60000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:25
                      Start time:05:40:36
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 916
                      Imagebase:0x60000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:26
                      Start time:05:40:40
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit
                      Imagebase:0xc20000
                      File size:232960 bytes
                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:27
                      Start time:05:40:42
                      Start date:05/05/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7c9170000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:29
                      Start time:05:40:43
                      Start date:05/05/2022
                      Path:C:\Windows\SysWOW64\taskkill.exe
                      Wow64 process (32bit):true
                      Commandline:taskkill /im "qjrOWCCE58.exe" /f
                      Imagebase:0xc0000
                      File size:74752 bytes
                      MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Disassembly

                      No disassembly