29.0.0 Ocean Jasper
Transcript of 29.0.0 Ocean Jasper
ID: 238148Sample Name: PD_66910971.xlsCookbook: default.jbsTime: 19:19:28Date: 12/06/2020Version: 29.0.0 Ocean Jasper
25555555555566666777889999
101010131414151515151717202020343435353535353536363636
36373737
3737
Table of Contents
Table of ContentsAnalysis Report PD_669 10971.xls
OverviewGeneral InformationDetectionSignaturesClassification
StartupMalware ConfigurationYara OverviewSigma Overview
System Summary:Signature Overview
AV Detection:Software Vulnerabilities:System Summary:Mitre Att&ck Matrix
Behavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPsPublic
General InformationSimulations
Behavior and APIsJoe Sandbox View / Context
IPsDomainsASNJA3 FingerprintsDropped Files
Created / dropped FilesStatic File Info
GeneralFile IconStatic OLE Info
GeneralOLE File "PD_669 10971.xls"IndicatorsSummaryDocument SummaryStreams with VBA
VBA File Name: CarClass.cls, Stream Size: 2504General
VBA Code KeywordsVBA CodeVBA File Name: Module0.bas, Stream Size: 683General
VBA Code KeywordsVBA Code
Copyright null 2020 Page 2 of 113
3737
37383838
38404040
40404141
41414242
42424242
42424242
43434343
43444444
4444
44444445454545454545454646464646464646474747474747474748484848484848484949494949494949
505050505050
VBA File Name: Module1.bas, Stream Size: 4935General
VBA Code KeywordsVBA CodeVBA File Name: Module2.bas, Stream Size: 9174General
VBA Code KeywordsVBA CodeVBA File Name: Module4.bas, Stream Size: 2564General
VBA Code KeywordsVBA CodeVBA File Name: Module5.bas, Stream Size: 4120General
VBA Code KeywordsVBA CodeVBA File Name: Page1.cls, Stream Size: 977General
VBA Code KeywordsVBA CodeVBA File Name: Page11.cls, Stream Size: 977General
VBA Code KeywordsVBA CodeVBA File Name: PrepareForm.frm, Stream Size: 1650General
VBA Code KeywordsVBA CodeVBA File Name: UserForm6.frm, Stream Size: 1159General
VBA Code KeywordsVBA CodeVBA File Name: one.cls, Stream Size: 3051General
VBA Code KeywordsVBA Code
StreamsStream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 292GeneralStream Path: \x5SummaryInformation, File Type: data, Stream Size: 352GeneralStream Path: MBD0090C244/\x1CompObj, File Type: data, Stream Size: 76GeneralStream Path: MBD0090C244/\x1Ole10Native, File Type: data, Stream Size: 614941GeneralStream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 135282GeneralStream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 944GeneralStream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 266GeneralStream Path: _VBA_PROJECT_CUR/PrepareForm/\x1CompObj, File Type: data, Stream Size: 97GeneralStream Path: _VBA_PROJECT_CUR/PrepareForm/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 311GeneralStream Path: _VBA_PROJECT_CUR/PrepareForm/f, File Type: data, Stream Size: 13229GeneralStream Path: _VBA_PROJECT_CUR/PrepareForm/o, File Type: empty, Stream Size: 0GeneralStream Path: _VBA_PROJECT_CUR/UserForm6/\x1CompObj, File Type: data, Stream Size: 97GeneralStream Path: _VBA_PROJECT_CUR/UserForm6/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 292GeneralStream Path: _VBA_PROJECT_CUR/UserForm6/f, File Type: data, Stream Size: 395GeneralStream Path: _VBA_PROJECT_CUR/UserForm6/o, File Type: data, Stream Size: 292GeneralStream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 7159GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2529GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 335GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 160GeneralStream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 656GeneralStream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1327General
Network BehaviorCode ManipulationsStatistics
BehaviorSystem Behavior
Analysis Process: EXCEL.EXE PID: 5416 Parent PID: 700
Copyright null 2020 Page 3 of 113
50505051525263
64646464
646465
656565656566
87878788
888888888989
111111
111111
111111
111111
112112
112112
112112
113113
113
GeneralFile Activities
File CreatedFile DeletedFile MovedFile WrittenFile Read
Registry ActivitiesKey CreatedKey Value CreatedKey Value Modified
Analysis Process: splwow64.exe PID: 6088 Parent PID: 5416GeneralFile Activities
Analysis Process: WerFault.exe PID: 4832 Parent PID: 5416GeneralFile Activities
File CreatedFile DeletedFile Written
Registry ActivitiesKey CreatedKey Value CreatedKey Value Modified
Analysis Process: WerFault.exe PID: 4664 Parent PID: 5416GeneralFile Activities
File CreatedFile DeletedFile Written
Registry ActivitiesKey Created
Analysis Process: WerFault.exe PID: 4316 Parent PID: 5416General
Analysis Process: WerFault.exe PID: 5908 Parent PID: 5416General
Analysis Process: WerFault.exe PID: 956 Parent PID: 5416General
Analysis Process: WerFault.exe PID: 4856 Parent PID: 5416General
Analysis Process: WerFault.exe PID: 4312 Parent PID: 5416General
Analysis Process: WerFault.exe PID: 2600 Parent PID: 5416General
Analysis Process: WerFault.exe PID: 4568 Parent PID: 5416General
Disassembly
Copyright null 2020 Page 4 of 113
Analysis Report PD_669 10971.xls
Overview
General Information
Sample Name:
PD_669 10971.xls
MD5: e01daa23055e3e…
SHA1: 5a72024f11fe977…
SHA256: 7bafb9938c0694b…
Most interesting Screenshot:
Detection
Get2DownloaderGet2DownloaderScore: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%
Signatures
Document exploit detected (creates f
Document exploit detected (creates f
Document exploit detected (creates f
Document exploit detected (creates f
Document exploit detected (creates f
Document exploit detected (creates f
Document exploit detected (creates fDocument exploit detected (creates f……
Document exploit detected (drops PE
Document exploit detected (drops PE
Document exploit detected (drops PE
Document exploit detected (drops PE
Document exploit detected (drops PE
Document exploit detected (drops PE
Document exploit detected (drops PEDocument exploit detected (drops PE……
Multi AV Scanner detection for dropp
Multi AV Scanner detection for dropp
Multi AV Scanner detection for dropp
Multi AV Scanner detection for dropp
Multi AV Scanner detection for dropp
Multi AV Scanner detection for dropp
Multi AV Scanner detection for droppMulti AV Scanner detection for dropp……
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for subm
Multi AV Scanner detection for submMulti AV Scanner detection for subm……
Office document tries to convince vic
Office document tries to convince vic
Office document tries to convince vic
Office document tries to convince vic
Office document tries to convince vic
Office document tries to convince vic
Office document tries to convince vicOffice document tries to convince vic……
Sigma detected: Get2 Downloader
Sigma detected: Get2 Downloader
Sigma detected: Get2 Downloader
Sigma detected: Get2 Downloader
Sigma detected: Get2 Downloader
Sigma detected: Get2 Downloader
Sigma detected: Get2 DownloaderSigma detected: Get2 Downloader
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VBDocument contains an embedded VB……
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VBDocument contains an embedded VB……
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VB
Document contains an embedded VBDocument contains an embedded VB……
Document contains an embedded ma
Document contains an embedded ma
Document contains an embedded ma
Document contains an embedded ma
Document contains an embedded ma
Document contains an embedded ma
Document contains an embedded maDocument contains an embedded ma……
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for sampMachine Learning detection for samp……
Office process drops PE file
Office process drops PE file
Office process drops PE file
Office process drops PE file
Office process drops PE file
Office process drops PE file
Office process drops PE fileOffice process drops PE file
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direcCreates files inside the system direc……
Document contains embedded VBA m
Document contains embedded VBA m
Document contains embedded VBA m
Document contains embedded VBA m
Document contains embedded VBA m
Document contains embedded VBA m
Document contains embedded VBA mDocument contains embedded VBA m……
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE filesDrops PE files
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privilegesEnables debug privileges
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / UsFound a high number of Window / Us……
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with o
IP address seen in connection with oIP address seen in connection with o……
One or more processes crash
One or more processes crash
One or more processes crash
One or more processes crash
One or more processes crash
One or more processes crash
One or more processes crashOne or more processes crash
Queries disk information (often used
Queries disk information (often used
Queries disk information (often used
Queries disk information (often used
Queries disk information (often used
Queries disk information (often used
Queries disk information (often used Queries disk information (often used ……
Sample file is different than original f
Sample file is different than original f
Sample file is different than original f
Sample file is different than original f
Sample file is different than original f
Sample file is different than original f
Sample file is different than original fSample file is different than original f……
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLsTries to load missing DLLs
Classification
Malware Configuration
Yara Overview
Sigma Overview
System Summary:
Sigma detected: Get2 Downloader
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w10x64
EXCEL.EXE (PID: 5416 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding MD5: D672D26C85AEB9536B9736BF04054969)
splwow64.exe (PID: 6088 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
WerFault.exe (PID: 4832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 2492 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
WerFault.exe (PID: 4664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 4520 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
WerFault.exe (PID: 4316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 3568 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
WerFault.exe (PID: 5908 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1172 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
WerFault.exe (PID: 956 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1460 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
WerFault.exe (PID: 4856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1980 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
WerFault.exe (PID: 4312 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 4752 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
WerFault.exe (PID: 2600 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1168 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
WerFault.exe (PID: 4568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 2492 MD5: 80E91E3C0F5563E4049B62FCAF5D67AC)
cleanup
No configs have been found
No yara matches
Startup
Copyright null 2020 Page 5 of 113
Signature Overview
• AV Detection
• Software Vulnerabilities
• Networking
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Software Vulnerabilities:
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
System Summary:
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document contains an embedded macro with GUI obfuscation
Office process drops PE file
Mitre Att&ck Matrix
Initial Access Execution PersistencePrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
ValidAccounts
Scripting 4 1 WinlogonHelper DLL
ProcessInjection 1
Masquerading 1 1 CredentialDumping
Virtualization/SandboxEvasion 1
ApplicationDeploymentSoftware
Data fromLocalSystem
DataCompressed
DataObfuscation
Eavesdrop onInsecureNetworkCommunication
ReplicationThroughRemovableMedia
Graphical UserInterface 1
PortMonitors
AccessibilityFeatures
Disabling SecurityTools 1
NetworkSniffing
Process Discovery 1 RemoteServices
Data fromRemovableMedia
ExfiltrationOver OtherNetworkMedium
FallbackChannels
Exploit SS7 toRedirect PhoneCalls/SMS
ExternalRemoteServices
Exploitation forClientExecution 2
AccessibilityFeatures
PathInterception
Virtualization/SandboxEvasion 1
InputCapture
Application WindowDiscovery 1
WindowsRemoteManagement
Data fromNetworkSharedDrive
AutomatedExfiltration
CustomCryptographicProtocol
Exploit SS7 toTrack DeviceLocation
Copyright null 2020 Page 6 of 113
Drive-byCompromise
ScheduledTask
SystemFirmware
DLL SearchOrderHijacking
Process Injection 1 Credentialsin Files
Security SoftwareDiscovery 1 1
LogonScripts
InputCapture
DataEncrypted
MultibandCommunication
SIM CardSwap
Exploit Public-FacingApplication
Command-Line Interface
ShortcutModification
File SystemPermissionsWeakness
Scripting 4 1 AccountManipulation
File and DirectoryDiscovery 1
SharedWebroot
DataStaged
ScheduledTransfer
StandardCryptographicProtocol
ManipulateDeviceCommunication
SpearphishingLink
Graphical UserInterface
ModifyExistingService
NewService
DLL Side-Loading 1 Brute Force System InformationDiscovery 1 1
Third-partySoftware
ScreenCapture
DataTransferSize Limits
CommonlyUsed Port
Jamming orDenial ofService
Initial Access Execution PersistencePrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
Behavior Graph
ID: 238148
Sample: PD_669 10971.xls
Startdate: 12/06/2020
Architecture: WINDOWS
Score: 100
Sigma detected: Get2Downloader
Multi AV Scanner detectionfor dropped file
Multi AV Scanner detectionfor submitted file 8 other signatures
EXCEL.EXE
250 81
started
13.107.42.23
unknown
United States
13.107.5.88
unknown
United States
5 other IPs or domains
C:\Users\user\AppData\Roaming\...\libOmio.dll, PE32
dropped
C:\Users\user\AppData\...\oleObject1.bin, Composite
dropped
C:\Users\user\AppData\Local\Temp\basecamp, COM
dropped
Document exploit detected(creates forbidden files)
WerFault.exe
24 10
started
WerFault.exe
9
started
splwow64.exe
started
7 other processes
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Behavior Graph
Screenshots
Copyright null 2020 Page 7 of 113
No bigger version No bigger version No bigger version
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version No bigger version
No bigger version No bigger version No bigger version No bigger version
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Copyright null 2020 Page 8 of 113
Source Detection Scanner Label Link
PD_669 10971.xls 44% Virustotal Browse
PD_669 10971.xls 100% Joe Sandbox ML
Source Detection Scanner Label Link
C:\Users\user\AppData\Local\Temp\basecamp 3% Virustotal Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\libOmio.dll 32% Virustotal Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\libOmio.dll 25% ReversingLabs Win32.Trojan.Ursu
No Antivirus matches
No Antivirus matches
Source Detection Scanner Label Link
https://cdn.entity. 0% URL Reputation safe
https://cdn.entity. 0% URL Reputation safe
https://wus2-000.contentsync. 0% URL Reputation safe
https://wus2-000.contentsync. 0% URL Reputation safe
https://powerlift.acompli.net 0% Virustotal Browse
https://powerlift.acompli.net 0% URL Reputation safe
https://powerlift.acompli.net 0% URL Reputation safe
https://rpsticket.partnerservices.getmicrosoftkey.com 0% Virustotal Browse
https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe
https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe
https://api.aadrm.com/ 0% Virustotal Browse
https://api.aadrm.com/ 0% URL Reputation safe
https://api.aadrm.com/ 0% URL Reputation safe
https://ofcrecsvcapi-int.azurewebsites.net/ 0% Virustotal Browse
https://ofcrecsvcapi-int.azurewebsites.net/ 0% Avira URL Cloud safe
https://res.getmicrosoftkey.com/api/redemptionevents 0% Virustotal Browse
https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe
https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe
https://powerlift-frontdesk.acompli.net 0% Virustotal Browse
https://powerlift-frontdesk.acompli.net 0% URL Reputation safe
https://powerlift-frontdesk.acompli.net 0% URL Reputation safe
https://officeci.azurewebsites.net/api/ 0% Virustotal Browse
https://officeci.azurewebsites.net/api/ 0% Avira URL Cloud safe
https://store.office.cn/addinstemplate 0% Virustotal Browse
https://store.office.cn/addinstemplate 0% URL Reputation safe
https://store.office.cn/addinstemplate 0% URL Reputation safe
https://wus2-000.pagecontentsync. 0% URL Reputation safe
https://wus2-000.pagecontentsync. 0% URL Reputation safe
https://store.officeppe.com/addinstemplate 0% Virustotal Browse
https://store.officeppe.com/addinstemplate 0% URL Reputation safe
https://store.officeppe.com/addinstemplate 0% URL Reputation safe
https://dev0-api.acompli.net/autodetect 0% Virustotal Browse
https://dev0-api.acompli.net/autodetect 0% URL Reputation safe
https://dev0-api.acompli.net/autodetect 0% URL Reputation safe
https://www.odwebp.svc.ms 0% Virustotal Browse
https://www.odwebp.svc.ms 0% URL Reputation safe
https://www.odwebp.svc.ms 0% URL Reputation safe
https://dataservice.o365filtering.com/ 0% Virustotal Browse
https://dataservice.o365filtering.com/ 0% URL Reputation safe
https://dataservice.o365filtering.com/ 0% URL Reputation safe
https://officesetup.getmicrosoftkey.com 0% Virustotal Browse
https://officesetup.getmicrosoftkey.com 0% URL Reputation safe
https://officesetup.getmicrosoftkey.com 0% URL Reputation safe
Dropped Files
Unpacked PE Files
Domains
URLs
Copyright null 2020 Page 9 of 113
https://prod-global-autodetect.acompli.net/autodetect 0% Virustotal Browse
https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe
https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe
https://apis.live.net/v5.0/ 0% Virustotal Browse
https://apis.live.net/v5.0/ 0% URL Reputation safe
https://apis.live.net/v5.0/ 0% URL Reputation safe
https://asgsmsproxyapi.azurewebsites.net/ 0% Virustotal Browse
https://asgsmsproxyapi.azurewebsites.net/ 0% Avira URL Cloud safe
https://ncus-000.contentsync. 0% URL Reputation safe
https://ncus-000.contentsync. 0% URL Reputation safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% Virustotal Browse
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe
https://skyapi.live.net/Activity/ 0% Virustotal Browse
https://skyapi.live.net/Activity/ 0% URL Reputation safe
https://skyapi.live.net/Activity/ 0% URL Reputation safe
https://dataservice.o365filtering.com 0% Virustotal Browse
https://dataservice.o365filtering.com 0% URL Reputation safe
https://dataservice.o365filtering.com 0% URL Reputation safe
https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Virustotal Browse
https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Avira URL Cloud safe
https://directory.services. 0% Virustotal Browse
https://directory.services. 0% URL Reputation safe
https://directory.services. 0% URL Reputation safe
Source Detection Scanner Label Link
No contacted domains info
Name Source Malicious Antivirus Detection Reputation
https://api.diagnosticssdf.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://login.microsoftonline.com/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://shell.suite.office.com:1443 D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://cdn.entity. D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false URL Reputation: safeURL Reputation: safe
unknown
https://wus2-000.contentsync. D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false URL Reputation: safeURL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://powerlift.acompli.net D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v1 D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://api.powerbi.com/v1.0/myorg/imports D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://cloudfiles.onenote.com/upload.aspx D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
Domains and IPs
Contacted Domains
URLs from Memory and Binaries
Copyright null 2020 Page 10 of 113
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://entitlement.diagnosticssdf.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://api.aadrm.com/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseAvira URL Cloud: safe
low
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://api.microsoftstream.com/api/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://cr.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://portal.office.com/account/?ref=ClientMeControl D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://ecs.office.com/config/v2/Office D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://graph.ppe.windows.net D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://res.getmicrosoftkey.com/api/redemptionevents D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://powerlift-frontdesk.acompli.net D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://tasks.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://officeci.azurewebsites.net/api/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseAvira URL Cloud: safe
low
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://store.office.cn/addinstemplate D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://wus2-000.pagecontentsync. D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false URL Reputation: safeURL Reputation: safe
unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid= D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://globaldisco.crm.dynamics.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://store.officeppe.com/addinstemplate D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://dev0-api.acompli.net/autodetect D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://www.odwebp.svc.ms D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
low
https://api.powerbi.com/v1.0/myorg/groups D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://web.microsoftstream.com/video/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://graph.windows.net D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://dataservice.o365filtering.com/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://officesetup.getmicrosoftkey.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://analysis.windows.net/powerbi/api D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
Name Source Malicious Antivirus Detection Reputation
Copyright null 2020 Page 11 of 113
https://prod-global-autodetect.acompli.net/autodetect D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://outlook.office365.com/autodiscover/autodiscover.jsonD7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
weather.service.msn.com/data.aspx D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://apis.live.net/v5.0/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
low
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://management.azure.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://incidents.diagnostics.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://clients.config.office.net/user/v1.0/ios D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://insertmedia.bing.office.net/odc/insertmedia D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://o365auditrealtimeingestion.manage.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://outlook.office365.com/api/v1.0/me/Activities D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://incidents.diagnosticssdf.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://asgsmsproxyapi.azurewebsites.net/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseAvira URL Cloud: safe
low
https://clients.config.office.net/user/v1.0/android/policies D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://entitlement.diagnostics.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonD7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://storage.live.com/clientlogs/uploadlocation D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://templatelogging.office.com/client/log D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://management.azure.com/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://ncus-000.contentsync. D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false URL Reputation: safeURL Reputation: safe
unknown
https://login.windows.net/common/oauth2/authorize D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://graph.windows.net/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://devnull.onenote.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://messaging.office.com/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
Name Source Malicious Antivirus Detection Reputation
Copyright null 2020 Page 12 of 113
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://skyapi.live.net/Activity/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
low
https://clients.config.office.net/user/v1.0/mac D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://dataservice.o365filtering.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://onedrive.live.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://ovisualuiapp.azurewebsites.net/pbiagave/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseAvira URL Cloud: safe
low
https://visio.uservoice.com/forums/368202-visio-on-devices
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://directory.services. D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false 0%, Virustotal, BrowseURL Reputation: safeURL Reputation: safe
unknown
https://login.windows-ppe.net/common/oauth2/authorize D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://loki.delve.office.com/api/v1/configuration/officewin32/D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://onedrive.live.com/embed? D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://augloop.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://clients.config.office.net/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://api.diagnostics.office.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://settings.outlook.com D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://graph.ppe.windows.net/ D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://store.office.de/addinstemplate D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://api.powerbi.com/v1.0/myorg/datasets D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
D7947CFB-C60D-4B09-B664-749490813E98.0.dr
false high
Name Source Malicious Antivirus Detection Reputation
Contacted IPs
Copyright null 2020 Page 13 of 113
General Information
Joe Sandbox Version: 29.0.0 Ocean Jasper
Analysis ID: 238148
Start date: 12.06.2020
Start time: 19:19:28
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 17m 2s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: PD_669 10971.xls
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name: Without Instrumentation
Number of analysed new started processes analysed: 40
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
IP Country Flag ASN ASN Name Malicious
8.8.8.8 United States 15169 unknown false
13.107.42.23 United States 8068 unknown false
5.149.253.194 United Kingdom 201525 unknown false
52.109.12.19 United States 8075 unknown false
52.109.88.8 United States 8075 unknown false
13.107.5.88 United States 8068 unknown false
52.114.158.91 United States 8075 unknown false
Public
Copyright null 2020 Page 14 of 113
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.expl.evad.winXLS@12/53@0/7
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .xls
Warnings:Max analysis timeout: 720s exceeded, the analysis took too longBehavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, MusNotifyIcon.exe, svchost.exe, UsoClient.exeReport size exceeded maximum capacity and may have missing behavior information.Report size getting too big, too many NtCreateFile calls found.Report size getting too big, too many NtDeviceIoControlFile calls found.Report size getting too big, too many NtQueryAttributesFile calls found.Report size getting too big, too many NtSetInformationFile calls found.
Time Type Description
19:20:27 API Interceptor 1068x Sleep call for process: splwow64.exe modified
Match Associated Sample Name / URL SHA 256 Detection Link Context
8.8.8.8 BadStuff.js Get hash malicious Browse 8.8.8.8/SlvMWdIEW62C9c
BadStuff.js Get hash malicious Browse 8.8.8.8/CTM5wttwLFcLdHfVk
33payment advice.exe Get hash malicious Browse www.zulinfang.mobi/fu/?id=i07vHMa0svfKfxE6I3aRHA3lctcdYaT9x0iZT9MH0oRhMFPgh9mSEtNU17XFCBgMQA4XWErQDlzTwB-AplygzQ..
Show All
Simulations
Behavior and APIs
Joe Sandbox View / Context
IPs
Copyright null 2020 Page 15 of 113
37documents.exe Get hash malicious Browse www.tasteofunexpected.com/tf/?id=y6IrbpvfhkYfQXXyqC8dooAvfrv2e2apV7igF70LYGyF4OCvwj5JxRVBdRghvKGGuc_KsFbnbWPC0Def
63AWB 043255.exe Get hash malicious Browse www.serikatsaudagarnusantara.com/ed/?id=kIz4OnF7tHMqdv1cSepeHoY02Vsws5yCI7zf8DN1pvMb9hdHFpZX44eSyhzXC7u5icfl1yYYsvfyl6we
d62c.exe Get hash malicious Browse www.epckednilm.info/fu/?id=i07vHMa0svfKfxE6I3aRHA3lctcdYaT9x0iZT9MH0oRhMFPgh9mSEtNU17XFCBgMQA4XWErQDlzTwB-AplygzQ..
27TTcopyMT107-36000_payment.exe Get hash malicious Browse www.watchsummer.com/tr/?id=oqCXvgIUiCxPFtn1J0rb33q5mpSH48Vd1XRAfBxi4MgNDwsdTt0dcXb5dgzj2vPAuld1RDreAlRWWLP9Xot16w..&sql=1
download_adobeflashplayer_install_9_.exe Get hash malicious Browse wetr34.sitesled.com/wind.jpg
INV-000524.vbs Get hash malicious Browse naturofind.org/p66/JIKJHgft
177Purchase Order.exe Get hash malicious Browse www.phutungototp.com/ho/?id=y3T6nEBciedL7htO4xn1ZYijVAw7sJXLjwubagvJUtMFVf7aOWPSa_Bl5i178f_EjROvybrSr7PC3267XbUsBg..
8Order Inquiry.exe Get hash malicious Browse www.quyuar.com/dr/?id=gCqdDQsh4d7ynFKSj09V1Y12J91NTUfM9LddDKzxEGHO7R4ogEQ3AGAU2DRYiF_Nduo4Rd-EW24x-O38aOud_g..
27Tobye.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
11Marena.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
39Harriot.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
Match Associated Sample Name / URL SHA 256 Detection Link Context
Copyright null 2020 Page 16 of 113
1Vida.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
43Colleen.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
67Roxanne.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
15Winnah.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
33Elfrida.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
25Cornelle.js Get hash malicious Browse my.internaldating.ru/js/boxun4.bin
Match Associated Sample Name / URL SHA 256 Detection Link Context
No context
Match Associated Sample Name / URL SHA 256 Detection Link Context
unknown Invoice 44387 - Due Date _ 12 June, 2020 - Client ID 7776042.html
Get hash malicious Browse 212.159.9.92
https://u.to/ofqqGA Get hash malicious Browse 193.109.247.239
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://reflectionsofmyeyes.com/vox/amFtZXNfYmVubmlnaG9mQGJheWxvci5lZHU=
Get hash malicious Browse 192.185.103.141
jo.gov.moh.aman_1.0.apk Get hash malicious Browse 173.194.76.188
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
Invoice_18744_-_Due_Date___12_June%2C_2020_-_Client_ID_2606438.html
Get hash malicious Browse 188.130.33.142
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
baylor21.baylorrgb749.southwest-85.com/?R3drr=https%3A%2F%2Fshigatsuwakimi.blob.core.windows.net%2Fkatekyo%2Fgoogle.html%23Z3JhbnRfbm93ZWxsQGJheWxvci5lZHU= View
Get hash malicious Browse 198.54.125.159
Invoice 36653 - Due Date _ 12 June, 2020 - Client ID 1441364.html
Get hash malicious Browse 188.130.33.142
https://t-info.mail.adobe.com/r/?id=h531da677,b8fb2bef,b8fb3304&p1=analytics.twitter.com/daa/0/daa_optout_actions?action_id=3&participant_id=716&rd=https://tradescouncil.com/jdanielsjdanielsjdanielsw23de35d23e35de23e35jdaniels/&p2=JVLsH//#[email protected]
Get hash malicious Browse 99.84.94.64
TALQ_812421154768_10062020.vbs Get hash malicious Browse 204.11.58.87
https://onedrive.live.com/view.aspx?resid=C1FADE07C4796650!176&authkey=!AJs-iBA3u8U4WgA
Get hash malicious Browse 23.111.9.35
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
83878C91171338902E0FE0FB97A8C47A.dotm Get hash malicious Browse 45.40.189.16
https://xh1643879264863098023.el.r.appspot.com/#[email protected]
Get hash malicious Browse 152.199.23.37
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
unknown Invoice 44387 - Due Date _ 12 June, 2020 - Client ID 7776042.html
Get hash malicious Browse 212.159.9.92
https://u.to/ofqqGA Get hash malicious Browse 193.109.247.239
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
Domains
ASN
Copyright null 2020 Page 17 of 113
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://reflectionsofmyeyes.com/vox/amFtZXNfYmVubmlnaG9mQGJheWxvci5lZHU=
Get hash malicious Browse 192.185.103.141
jo.gov.moh.aman_1.0.apk Get hash malicious Browse 173.194.76.188
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
Invoice_18744_-_Due_Date___12_June%2C_2020_-_Client_ID_2606438.html
Get hash malicious Browse 188.130.33.142
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
baylor21.baylorrgb749.southwest-85.com/?R3drr=https%3A%2F%2Fshigatsuwakimi.blob.core.windows.net%2Fkatekyo%2Fgoogle.html%23Z3JhbnRfbm93ZWxsQGJheWxvci5lZHU= View
Get hash malicious Browse 198.54.125.159
Invoice 36653 - Due Date _ 12 June, 2020 - Client ID 1441364.html
Get hash malicious Browse 188.130.33.142
https://t-info.mail.adobe.com/r/?id=h531da677,b8fb2bef,b8fb3304&p1=analytics.twitter.com/daa/0/daa_optout_actions?action_id=3&participant_id=716&rd=https://tradescouncil.com/jdanielsjdanielsjdanielsw23de35d23e35de23e35jdaniels/&p2=JVLsH//#[email protected]
Get hash malicious Browse 99.84.94.64
TALQ_812421154768_10062020.vbs Get hash malicious Browse 204.11.58.87
https://onedrive.live.com/view.aspx?resid=C1FADE07C4796650!176&authkey=!AJs-iBA3u8U4WgA
Get hash malicious Browse 23.111.9.35
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
83878C91171338902E0FE0FB97A8C47A.dotm Get hash malicious Browse 45.40.189.16
https://xh1643879264863098023.el.r.appspot.com/#[email protected]
Get hash malicious Browse 152.199.23.37
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
unknown Invoice 44387 - Due Date _ 12 June, 2020 - Client ID 7776042.html
Get hash malicious Browse 212.159.9.92
https://u.to/ofqqGA Get hash malicious Browse 193.109.247.239
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://reflectionsofmyeyes.com/vox/amFtZXNfYmVubmlnaG9mQGJheWxvci5lZHU=
Get hash malicious Browse 192.185.103.141
jo.gov.moh.aman_1.0.apk Get hash malicious Browse 173.194.76.188
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
Invoice_18744_-_Due_Date___12_June%2C_2020_-_Client_ID_2606438.html
Get hash malicious Browse 188.130.33.142
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
baylor21.baylorrgb749.southwest-85.com/?R3drr=https%3A%2F%2Fshigatsuwakimi.blob.core.windows.net%2Fkatekyo%2Fgoogle.html%23Z3JhbnRfbm93ZWxsQGJheWxvci5lZHU= View
Get hash malicious Browse 198.54.125.159
Invoice 36653 - Due Date _ 12 June, 2020 - Client ID 1441364.html
Get hash malicious Browse 188.130.33.142
https://t-info.mail.adobe.com/r/?id=h531da677,b8fb2bef,b8fb3304&p1=analytics.twitter.com/daa/0/daa_optout_actions?action_id=3&participant_id=716&rd=https://tradescouncil.com/jdanielsjdanielsjdanielsw23de35d23e35de23e35jdaniels/&p2=JVLsH//#[email protected]
Get hash malicious Browse 99.84.94.64
TALQ_812421154768_10062020.vbs Get hash malicious Browse 204.11.58.87
https://onedrive.live.com/view.aspx?resid=C1FADE07C4796650!176&authkey=!AJs-iBA3u8U4WgA
Get hash malicious Browse 23.111.9.35
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
83878C91171338902E0FE0FB97A8C47A.dotm Get hash malicious Browse 45.40.189.16
Match Associated Sample Name / URL SHA 256 Detection Link Context
Copyright null 2020 Page 18 of 113
https://xh1643879264863098023.el.r.appspot.com/#[email protected]
Get hash malicious Browse 152.199.23.37
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
unknown Invoice 44387 - Due Date _ 12 June, 2020 - Client ID 7776042.html
Get hash malicious Browse 212.159.9.92
https://u.to/ofqqGA Get hash malicious Browse 193.109.247.239
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://reflectionsofmyeyes.com/vox/amFtZXNfYmVubmlnaG9mQGJheWxvci5lZHU=
Get hash malicious Browse 192.185.103.141
jo.gov.moh.aman_1.0.apk Get hash malicious Browse 173.194.76.188
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
Invoice_18744_-_Due_Date___12_June%2C_2020_-_Client_ID_2606438.html
Get hash malicious Browse 188.130.33.142
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
baylor21.baylorrgb749.southwest-85.com/?R3drr=https%3A%2F%2Fshigatsuwakimi.blob.core.windows.net%2Fkatekyo%2Fgoogle.html%23Z3JhbnRfbm93ZWxsQGJheWxvci5lZHU= View
Get hash malicious Browse 198.54.125.159
Invoice 36653 - Due Date _ 12 June, 2020 - Client ID 1441364.html
Get hash malicious Browse 188.130.33.142
https://t-info.mail.adobe.com/r/?id=h531da677,b8fb2bef,b8fb3304&p1=analytics.twitter.com/daa/0/daa_optout_actions?action_id=3&participant_id=716&rd=https://tradescouncil.com/jdanielsjdanielsjdanielsw23de35d23e35de23e35jdaniels/&p2=JVLsH//#[email protected]
Get hash malicious Browse 99.84.94.64
TALQ_812421154768_10062020.vbs Get hash malicious Browse 204.11.58.87
https://onedrive.live.com/view.aspx?resid=C1FADE07C4796650!176&authkey=!AJs-iBA3u8U4WgA
Get hash malicious Browse 23.111.9.35
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
83878C91171338902E0FE0FB97A8C47A.dotm Get hash malicious Browse 45.40.189.16
https://xh1643879264863098023.el.r.appspot.com/#[email protected]
Get hash malicious Browse 152.199.23.37
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
unknown Invoice 44387 - Due Date _ 12 June, 2020 - Client ID 7776042.html
Get hash malicious Browse 212.159.9.92
https://u.to/ofqqGA Get hash malicious Browse 193.109.247.239
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://cloud.smartdraw.com/share.aspx/?pubDocShare=2319AC972B6938D7B9401E8425E8FFCA385
Get hash malicious Browse 152.199.21.21
https://reflectionsofmyeyes.com/vox/amFtZXNfYmVubmlnaG9mQGJheWxvci5lZHU=
Get hash malicious Browse 192.185.103.141
jo.gov.moh.aman_1.0.apk Get hash malicious Browse 173.194.76.188
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
Invoice_18744_-_Due_Date___12_June%2C_2020_-_Client_ID_2606438.html
Get hash malicious Browse 188.130.33.142
technis.org/jzuaokr/kr9clxXZfN.zip Get hash malicious Browse 104.16.132.229
baylor21.baylorrgb749.southwest-85.com/?R3drr=https%3A%2F%2Fshigatsuwakimi.blob.core.windows.net%2Fkatekyo%2Fgoogle.html%23Z3JhbnRfbm93ZWxsQGJheWxvci5lZHU= View
Get hash malicious Browse 198.54.125.159
Invoice 36653 - Due Date _ 12 June, 2020 - Client ID 1441364.html
Get hash malicious Browse 188.130.33.142
https://t-info.mail.adobe.com/r/?id=h531da677,b8fb2bef,b8fb3304&p1=analytics.twitter.com/daa/0/daa_optout_actions?action_id=3&participant_id=716&rd=https://tradescouncil.com/jdanielsjdanielsjdanielsw23de35d23e35de23e35jdaniels/&p2=JVLsH//#[email protected]
Get hash malicious Browse 99.84.94.64
Match Associated Sample Name / URL SHA 256 Detection Link Context
Copyright null 2020 Page 19 of 113
TALQ_812421154768_10062020.vbs Get hash malicious Browse 204.11.58.87
https://onedrive.live.com/view.aspx?resid=C1FADE07C4796650!176&authkey=!AJs-iBA3u8U4WgA
Get hash malicious Browse 23.111.9.35
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
Erlinda Barak CV.xls Get hash malicious Browse 205.185.125.104
83878C91171338902E0FE0FB97A8C47A.dotm Get hash malicious Browse 45.40.189.16
https://xh1643879264863098023.el.r.appspot.com/#[email protected]
Get hash malicious Browse 152.199.23.37
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
Boeing_AERO_GS.docx Get hash malicious Browse 51.68.152.96
Match Associated Sample Name / URL SHA 256 Detection Link Context
No context
No context
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_03eafcfb\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26222
Entropy (8bit): 3.74957673345421
Encrypted: false
MD5: 00749BF96FA56B9498F9073BE97B07BD
SHA1: 124CF9B960067F713C027EE06B7D9E275E223E4F
SHA-256: 5CAE4EEBB44E43D123BB680A98A6B9ACDB2F92581EA0BCD3688B9AF9F927938A
SHA-512: 4E69BB982397AD5073E3CD344D105BC4F72495D9C51ACF6D965F50BE314DE73A4E4E1350AA2F73634EF066F9D4372F19A04DB3CA0AADF58C364D6DD03D69E9A3
Malicious: false
Reputation: low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.7.3.6.6.2.0.7.9.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.7.b.0.7.f.2.-.8.4.6.4.-.4.9.8.4.-.8.3.b.a.-.1.c.0.9.7.3.f.0.c.5.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.7.6.9.8.c.a.-.d.9.9.2.-.4.4.0.8.-.b.e.3.8.-.6.f.b.d.0.6.2.b.7.b.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_0a72b6b7\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26260
Entropy (8bit): 3.7491784407076514
Encrypted: false
MD5: 9F21A873D2B7ABC3D981E9F4A04F7F1A
SHA1: 75F58E5C07DA90AA0FAC724D6993D16083BEE860
SHA-256: BC38CF9FA7019700B2BE213164D3418757A700A4FA49FFBC0CC87404D8F5C2E9
SHA-512: E3070FED7FE15642A2361383A5F0C2E94E8AB0E2CF2ED663B8597E6DB29F4F51401A98374462F6707999EF11BDE5C230D3F5DD87B6F1F2877DE2F47CADCCF5F6
Malicious: false
Reputation: low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.9.8.0.6.1.1.9.7.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.f.3.0.2.2.9.-.5.9.b.2.-.4.3.2.8.-.b.a.5.2.-.6.9.a.b.2.0.a.4.8.2.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.d.2.0.3.f.0.-.f.a.9.e.-.4.9.e.0.-.b.6.6.a.-.e.7.d.3.1.1.5.6.d.5.c.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
JA3 Fingerprints
Dropped Files
Created / dropped Files
Copyright null 2020 Page 20 of 113
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_10883a9f\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26256
Entropy (8bit): 3.749142658306768
Encrypted: false
MD5: FD34E65940E4359011FFC7F34DDF55A3
SHA1: 57CEF3DC40A2422F5333A39683DA36C445EC28AA
SHA-256: 14B1BD6942131B7DC4BE5A1B891E2D9800B5393875A53D9BE217089EE5EE076B
SHA-512: 492EC9AEC584ACCA726C408353BB156B7BEBF443A3753CE159EAEA7B294B2627C11E7E6089E8091D3BEB584C82CF8302245AF8BA8B1EDE5BD2495FD3EADA47D6
Malicious: false
Reputation: low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.5.5.5.2.7.6.5.3.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.3.7.5.f.f.7.-.f.2.7.0.-.4.b.c.a.-.8.3.6.5.-.4.a.3.0.a.d.c.7.4.e.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.d.9.0.0.c.a.-.d.8.6.3.-.4.0.f.4.-.b.4.f.8.-.f.8.f.2.d.8.7.5.8.f.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_108fbba7\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26258
Entropy (8bit): 3.748411754788295
Encrypted: false
MD5: 6E22BB452B3E154B0B2BF10C244F755C
SHA1: 2FDB178CD80418075CBA91F1FC47F2118A012E4F
SHA-256: 2587403FD1F14B21106F0AFE11C8EBA1AD60194E966397DD5E688B0EB4932C82
SHA-512: 5CB3D253D6E19CEB8A694F6C654D726F1C251CB5EE5B4E7E92D8A9E1287B91824450897B5F89BA131BA67DDB5F80D026F8C94F95CAF2C60EC39FB963C61C6DE6
Malicious: false
Reputation: low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.7.8.5.3.6.5.8.8.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.a.3.3.8.e.c.-.b.9.e.b.-.4.f.7.7.-.9.8.1.d.-.7.9.d.4.8.4.e.7.1.e.6.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.a.3.0.6.5.1.-.5.d.2.9.-.4.5.4.d.-.9.8.c.1.-.d.4.0.4.6.8.2.c.f.5.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_1182c899\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26260
Entropy (8bit): 3.748399737814802
Encrypted: false
MD5: F1089AC419CA0178A0DA8638BA85A690
SHA1: 977B39E99A69968C1FF1E2DA8233BFA98C0CDB37
SHA-256: FA9D6A4E47A754BA33665CD8F86A32694E27906F554FE8DC8A185F3F51F8FC19
SHA-512: DF227A89EC857F973ED557B23879728D51F375EC6651C520C8814037413D6A2259FF131BE399B366B54A3133F854375200FB56601CCC36527725B616781F525E
Malicious: false
Reputation: low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.9.8.5.2.2.1.8.5.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.5.7.e.3.4.6.-.f.0.a.8.-.4.5.4.7.-.a.c.7.2.-.b.1.e.c.9.3.0.7.b.1.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.9.2.4.e.b.c.-.e.5.8.8.-.4.5.8.e.-.9.5.d.d.-.6.9.6.2.e.b.5.f.1.e.c.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_126c269a\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26260
Entropy (8bit): 3.7490910869803797
Encrypted: false
Copyright null 2020 Page 21 of 113
MD5: C08B68F5945AB7B6B76E7AAB701CB762
SHA1: E67052C2CF44BD38F419E3C71CFA847B0CE8F2D9
SHA-256: 4E62E0736A5CBB7623E6BA71DA25786D259B75B7055018D53D30EC213E1D5C2B
SHA-512: CA09D8CEBA022920F2A738B48E96F530F8B641F9F3AC2EA7D918693382DC4BAEB0CCE500C8375582316DC1176CAD6893171E55B033EF5509EFB20A0F1529F278
Malicious: false
Reputation: low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.5.5.0.6.5.7.3.8.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.8.0.3.7.8.6.-.b.5.f.9.-.4.9.f.4.-.9.a.4.1.-.8.f.5.3.5.5.d.d.2.c.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.c.c.f.2.4.b.-.1.5.c.1.-.4.4.0.1.-.b.1.6.5.-.e.d.f.4.d.a.5.0.5.0.f.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_126c269a\Report.wer
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_12afab4c\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26258
Entropy (8bit): 3.748781222685059
Encrypted: false
MD5: D3381F5779B6F8B9E6C204F1886F0AF4
SHA1: D84EFBB7325E793FA6F28731C47E66D5DAFFE517
SHA-256: 102E8302B295BE98F6E0A57F5938EA3CD41F21B945CDE320F15D16439B7F2181
SHA-512: CBC769F93164FA7B165B75EC27B469318D2F1A9E6B0EA0827E5D64678C3770F95B09E8F9664704786D81054CE6C18B6C2528159431BD40B2D8BB06C1819D39DC
Malicious: false
Reputation: low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.7.8.1.2.3.3.5.8.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.a.e.9.e.d.2.-.c.6.8.5.-.4.d.c.6.-.a.7.1.9.-.7.f.6.4.0.5.d.f.2.d.4.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.7.e.6.e.1.4.-.8.e.8.0.-.4.e.0.4.-.8.5.1.5.-.9.b.9.0.1.4.7.e.d.8.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_12b34477\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26258
Entropy (8bit): 3.7488505637687837
Encrypted: false
MD5: 406A697929AEA58212BBC884911C5365
SHA1: 3F175AB112D37C72391D40C2662A888D54546F1D
SHA-256: D6033B01CD10555B30B2EEA2A00B6FB32CF7F0111F7B9323C1E5E2017D1196F3
SHA-512: 66FDB9B53FD0F7ED9D897B472087A36C049A1F5FC922A4F3EFDFAF4B291E55BAA8A0B60681F5281221ADD33A402EE3EC94F25685FF81C534CFC9D0C69C9369DD
Malicious: false
Reputation: low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.4.9.2.1.9.6.9.4.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.e.b.a.2.c.c.-.3.2.6.d.-.4.3.5.b.-.a.1.7.5.-.9.c.7.5.b.c.2.1.d.c.f.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.5.f.8.8.6.0.-.8.7.d.2.-.4.7.0.1.-.8.6.a.6.-.c.e.8.6.6.0.e.6.b.7.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_1742e695\Report.werProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 26260
Entropy (8bit): 3.7484490441926916
Encrypted: false
MD5: 8A19F9B0F70FAD4E8D6202384544C832
SHA1: 99C7AC9B2A1C2E407FF111BB5BEEE9A538CDF809
SHA-256: 44EF1FCB6C892587B287E939352AED252CE164FD4F4D619C301B9A2E7D3EB0C9
SHA-512: 0518C162C63CF5E11C034B363A19DE51907C7D59CB40BB27886E306104BCBF0B282BC791C704E705A46507258F8B99F09AA44253A382E249F36A76F68B1711ED
Malicious: false
Reputation: low
Copyright null 2020 Page 22 of 113
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.3.6.4.8.8.7.3.0.6.5.9.3.4.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.2.3.5.e.7.b.-.0.3.0.4.-.4.b.5.9.-.8.c.b.a.-.2.1.f.d.f.0.b.f.a.b.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.3.9.9.4.2.d.-.3.6.2.a.-.4.c.9.3.-.b.b.2.a.-.a.5.8.f.a.f.2.e.c.6.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.X.C.E.L...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.2.8.-.0.0.0.1.-.0.0.1.c.-.f.7.a.4.-.6.3.2.1.2.9.4.1.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.3.2.3.c.2.4.0.c.3.a.c.0.4.a.3.6.8.7.7.9.f.f.c.c.d.f.d.b.3.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.1.1.7.f.4.1.4.f.e.0.9.e.3.4.8.9.0.3.e.d.6.1.9.a.0.2.b.0.c.6.5.9.7.1.1.a.6.2.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.8././.1.1././.1.2.:.0.2.:.3.9.:.0.6.!.2.9.d.e.8.e.d.!.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_1742e695\Report.wer
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmpProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:22:31 2020, 0x1205a4 type
Size (bytes): 312411
Entropy (8bit): 2.246976659154861
Encrypted: false
MD5: C78E0541E009D29D13F220ED9A900DB7
SHA1: F6D48972A5C0AFCF718552C447D19A790CC8C2E1
SHA-256: 6611E6FF14D534D6EE1DA0714DC4F9C84C1F680C5495760E67A5A2F2ECF1E9CB
SHA-512: 92345F9F1FE730BD5B42A178C21B80FC30AB59BF0C71C0E5D01383C366F2E31064DF10575631D8AE44D1E93ED004D5CEFDFBD3FC963CB78C5BF59B1C2EFABFF5
Malicious: false
Reputation: low
Preview:MDMP....... .......g8.^...................?...........B.......T......GenuineIntel............T.......(....7.^....:........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8302
Entropy (8bit): 3.6996117085864957
Encrypted: false
MD5: A5638277D4806B19F5022E0E5C3EE834
SHA1: 7A83EF8072845CD1E34926D1316A39DFB704893A
SHA-256: 1DC7BE1AF5775E09D057FDC7F5B8918D851F459A24FD79C0AE68A66671F8571F
SHA-512: 27170F076217BB2C36F0783670207BD122234A8678FB31B4CA39637B9BCCDB5F4AF2093FE5E11BA52820E3A14D114ECF60674E408112D966F378BD6441F961AE
Malicious: false
Reputation: low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2515.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.459645456769821
Encrypted: false
MD5: 168333F670F2947B88B09939A6B4D26C
SHA1: 456FDEA511DD74BAC0B188A810F90D6EF83C4932
SHA-256: 259AA0A2E499C7F673E2AC5F818B173E6CE7B3BDB807196246B4C9AF16BC98D9
SHA-512: 27183D3617A33658195D073A641431A29503114F6AA48807276C12F421368E96D2C7AFBC8EC832AD936451DB0707A798FDBB0EA32C7738BD210BBB0AF7A4B19A
Malicious: false
Reputation: low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010479" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30DB.tmp.dmp
Copyright null 2020 Page 23 of 113
Process: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:22:36 2020, 0x1205a4 type
Size (bytes): 313305
Entropy (8bit): 2.2597388788985393
Encrypted: false
MD5: D2533BCA204E3492ADC4B13F39F92B0C
SHA1: 1D0940CFE1C5D4B858D6B130960CDF12A98CE1AB
SHA-256: 9A00B4700CCF7E4173992718052B3769F3E3CBA5925139F4F1BF1FEED18A5864
SHA-512: 11C2D7499A355DAF75B4CA5617030EDB364AB5CECBED657777F0900CE8E6D11114BC1E1C7BEAEFCA8427D263DC09ABC7A02CA6F2A7064F92E8FE21273DC469D1
Malicious: false
Preview:MDMP....... .......l8.^...................?...........B.......T......GenuineIntel............T.......(....7.^....:........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER30DB.tmp.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER38DB.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8302
Entropy (8bit): 3.6995147996762245
Encrypted: false
MD5: C6230BA168925091EE14CD71838FACFD
SHA1: 2D4F614E33ABE5A1BF6B099923E3279055EDA8B2
SHA-256: 2184B53924786D1519595B3D0DCF6DE235DFBA998FCD68A588395898543AA324
SHA-512: 2DA3796C24085CA2FBE343FE1C76C58D16B24ED7BEA3F6712C42CDF605B1A0E1602CDC24C8859A91ECB4467CF288AFA3A6364D78FC9E48D1104714085FA34B89
Malicious: false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3949.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.46348092329818
Encrypted: false
MD5: FCA3C1B421470F748085EF9EE3AA53E0
SHA1: DA3BC0BFEC62AC3D7378D8306C2A7D8DC3A24B2E
SHA-256: C2743A98CB8D536C2EC165274769952FE6FD4B30A6EEA576D402809B5EA9BD80
SHA-512: F4B3C2EF109DC879D618BCD10B05BCDAFC6CD8CD55D9C02A0F2DCC3B3782E8EBF922CAE1E518B7933946B4ECEAA6D10DD2D5F6C8BA1D30A232DBB7B1F8A7748C
Malicious: false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010479" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmpProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:21:33 2020, 0x1205a4 type
Size (bytes): 377279
Entropy (8bit): 2.605179415689641
Encrypted: false
MD5: 74415C9DC16055EA502E9BF0BCF18E97
SHA1: 5814ED21E388D0ADEC8D927BB4CAE671A1C690FC
SHA-256: EE3C58AD0970F15FE73457CEC0416A37A9624B3BBCCCDDAC3E394E018FFB1C45
SHA-512: CECDC8668BE89D85F89E47CD219FB5CD6820C9654C0C49F533520F218DB61C557FA54B212C94E4F1B5CEE4498015FA51E9C40872FCCEF2B2669378033FB4094D
Malicious: false
Copyright null 2020 Page 24 of 113
Preview:MDMP....... .......-8.^...................?...........B.......T......GenuineIntel............T.......(....7.^....:........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8300
Entropy (8bit): 3.6999227739097114
Encrypted: false
MD5: 40D4059FD66BB1E59569264E29AAE422
SHA1: 01EAD6F3CE1FDEAC7F0B0C2B69CA637CEB92439B
SHA-256: 3A49C5840779F3A35BA64DB5B79F32FE91064C495327A881F8BB7DA239E7A1F2
SHA-512: C574B4567ED57019D998296ECA1DB62DCFD1B37C554FB17AD1D820104FD127438E3E204A802238DE40C4F3986FD843AE7F64172A4F8F62FEC99C3CC259917769
Malicious: false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42F3.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.461513014134368
Encrypted: false
MD5: D66D9EAA75CA0544619C4B81CE7CAD9E
SHA1: 078B76617210F9DDCFB6043BD6778CB4C6744887
SHA-256: C1D5ABEDDCB4E90296D2464D9F329AF744F3E5A08F4F44AECA689F367FD892E0
SHA-512: 9DD7940DA498F25D7B91B2604998655088DAE1F8B7FC5B61D5F260EEF405B1925D1ED9D4DA27C852B0DC88DE4BDBF4A1E6E9A83B737119FC0C5997D1F9A04ABB
Malicious: false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010478" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA38C.tmp.dmpProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:26:22 2020, 0x1205a4 type
Size (bytes): 314479
Entropy (8bit): 2.378686035830766
Encrypted: false
MD5: BCA5AE273DDEFE989EAF1778DF6C8819
SHA1: D56EBBA8E30BF83D7BED62720A91751828093324
SHA-256: 0847160C81B55FFA0C3871EA8FB1A4F7CE9436A191F914A36F8E4BE8C9C7E055
SHA-512: 7E4FB65DC51167CEC314FB934F81E7D3A1953E2B93921BC3FE97211BE57F4BD2CAD2199557E1CC2EA151F87A979A5646D5292513EB1A2D2851C5EFC28E38887F
Malicious: false
Preview:MDMP....... .......N9.^...................?...........B......|T......GenuineIntel............T.......(....7.^....C........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8FB.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8304
Entropy (8bit): 3.699783305569705
Encrypted: false
MD5: D712667C88CBA85696B047D2CB44403C
Copyright null 2020 Page 25 of 113
SHA1: B8020025AB23BC915290B8B73827B545CD745D86
SHA-256: 3C4DCDA9B158205A5791F6374B1FC651AB3994FEFAF3EA75F54504C04CB0C94D
SHA-512: 500F81EE9623D0A7E5C16C2E5B99BE0F0AA1E7F60174EF7255C1CA1D3A8AA7BB655542579585B298746A7503CD510F719C8A134CBF3330CFB7B8BBB3B13EF693
Malicious: false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8FB.tmp.WERInternalMetadata.xml
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA95A.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.460231623734726
Encrypted: false
MD5: BF928731172D128B0F96EA2B1057D185
SHA1: C3F56C290FC164426C96C4241D1C65D19EE89174
SHA-256: 6AE53C082F99A67DF86433FD99F3B7A1C54F4AC45769B5CCBE5EBA075045492F
SHA-512: AEC30F3EEB8AFEDCA529CE42F0403587FEA6127FDB5FDD753255091FA945188CEA503A224CAFB69AD232887628F5DF38380F339FAFABA474F3B92EAD00106977
Malicious: false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010483" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE5B.tmp.dmpProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:29:41 2020, 0x1205a4 type
Size (bytes): 313479
Entropy (8bit): 2.3774308116439675
Encrypted: false
MD5: 953A02DAAD6F848F649974F5FD42D8F2
SHA1: E0C58FCE0C1A09BA7E8A78D5725B9A1B2B3ED455
SHA-256: A153E38A4C726CA24EFDF9340AF730A16EE25A53033B15A8950B3482137CFCD7
SHA-512: A836678E6023EB769E2A0E394A3BA9A574EFC3246658C11B8E9B68E164C9D5D2DF4F6405E0CA2AA9CE0DD61CAD918489B0A1622959E2B035FBFB8D35C37E928E
Malicious: false
Preview:MDMP....... ........:.^...................?...........B......|T......GenuineIntel............T.......(....7.^....D........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3A9.tmp.dmpProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:26:26 2020, 0x1205a4 type
Size (bytes): 309893
Entropy (8bit): 2.3373625070860586
Encrypted: false
MD5: F0485BF04E3BF1E9191E7689898D0195
SHA1: 24707BC6DA0212D6BE1A53713D98298ECAE0D77A
SHA-256: A24C0F75E29791ABC1006D9B49BF56FB5B8AE75D3BE77E61351F083D27124A9F
SHA-512: 710FF95ABA3CF56490582E3FEFB3EBDCA4920409CE5AFEE059B7C4436C10AFE0A479F1AF32CFF5B2A5B456B9CBCA947D24CE627AACF67ACD4AA376D5889B1EA3
Malicious: false
Preview:MDMP....... .......R9.^...................?...........B......|T......GenuineIntel............T.......(....7.^....C........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
Copyright null 2020 Page 26 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4C4.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8304
Entropy (8bit): 3.70063377929905
Encrypted: false
MD5: 21E5C5582B47EEB5BA9C34107439662B
SHA1: A317C27C0213B15D1C61A8580C7AC8B709F6B970
SHA-256: 293D50D34711E5C4BAC2D2DCCBE407B46F49C5FA7ABF780ED6165C45A3459649
SHA-512: 4E6ACC0EA273394298EA623B82D3B5A216A709325FC8C73A0639F1B862D3B0107D669726DE72EF8934536E58EAB97A54569C36E0D8609C46E73B00153F4BF580
Malicious: false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB561.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.460757383188483
Encrypted: false
MD5: B75EF6ACE188AF6A9DE20D689C858B39
SHA1: 25922694CFA61AA5CD904D0F6031973F28755999
SHA-256: 003326563860125CC18B3A0F8E754D3C5BD61158BAE6C45C63B1A52D36C79E92
SHA-512: 36FFCEADE637E2E04648747A5CA904E31B9CBAB949559F0CCCE13F852DADC0DBDDC7FE8721C6E21E21C587719EAE1D8043C56B330E3FDDCD8F587360D8B6BFA7
Malicious: false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010486" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9F3.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8304
Entropy (8bit): 3.6981296842323856
Encrypted: false
MD5: F4106726BA45FFB2AE1273E4EC58B710
SHA1: C54ECBD6799CC6909339B4AB2FC6CD7B19A2D13A
SHA-256: F48AF6F220E96B352CEEB76238A5981E366AF1E82C71AAE53E23094857E8DE9C
SHA-512: 5AFED3B10A363BE68F24BEB46AA638D860EBFA85E36FD286F689526BF64C26D44AF3E0F99FEF65511A24006E36414C46A45A6AB947116B5F6F47FC05F4FC7BEB
Malicious: false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA52.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.46206430342968
Encrypted: false
MD5: 33D11F25B8BD116580D4EF2AB16F7CD0
SHA1: 0AD0F371E1B1A926895DE7A81DC6DFA69AD62D4B
SHA-256: 485E39473299DB26F935385A90C2E8FAA7DF1DEEEA5B4B3E5381B5CD2B39A981
SHA-512: 5BB4C7E435EB4A20434B4B943023772925A276A081D624CAC35E47E684CB6BC74143A9488D0051FD029E17718B1F8FBC193F274B6DA722E670620D821DEC7D1B
Malicious: false
Copyright null 2020 Page 27 of 113
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010483" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA52.tmp.xml
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC05C.tmp.dmpProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:29:46 2020, 0x1205a4 type
Size (bytes): 309365
Entropy (8bit): 2.342501155778975
Encrypted: false
MD5: 450C6682488F1497CEE7820DDCC91574
SHA1: C14D6519B704A25F0721447AD718A8AFB030D7F2
SHA-256: B4F4B6B2BCC21517F74B814B88ADF2288B5EDB2766BE15806AAB14B8357D61C8
SHA-512: F89A075BF0F3768651F8CB2F3140B0B94EEF90127EB668B4131E472F8D0495EC54BD5436DF5A5DB49DFE0DE913F60A654CCC7322CC87C69168BAA1BCFD28C4CE
Malicious: false
Preview:MDMP....... ........:.^...................?...........B......|T......GenuineIntel............T.......(....7.^....D........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC697.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8304
Entropy (8bit): 3.698501730437607
Encrypted: false
MD5: 73101E524820E88BAA65AF29CAD29A1B
SHA1: 9AC2D34FC127858EC741D4975A69F6B62B7338E5
SHA-256: B1C9C6CC7EE1E2C2D22ED9AF592C6CDDA8443092E8E8A76B9C214C0A25542A81
SHA-512: 9D94756E89CE93E1809E94B0DD09EAA93A8082FB6FC2AB122239A8E49D1F7ED7D2E1CB79C3D932CAAC14A6B7496C52A513C9117A8AF4C0E9AEA13FF97933F50F
Malicious: false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC744.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.463075056011114
Encrypted: false
MD5: E3CDA2040B27B9A195DC1ECD8D449814
SHA1: 30988A5E6B6AA5B8C0881BC4442446D290544039
SHA-256: 4F4F06D4C4AD4698F5AD6A7BA5F2E68552D03DEE23D69F99F525CFE53057BE38
SHA-512: 4EEED6518A37AD7A88F3964A49C52594F916240DC1CB42B2BF01D06DC1056BD248C95129821B76B05AE7BDF4B650FFA5CE86BF13BDB7E2D3F369156C1047F3F9
Malicious: false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010486" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDF9.tmp.dmpProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:25:31 2020, 0x1205a4 type
Size (bytes): 317317
Entropy (8bit): 2.322769034372081
Copyright null 2020 Page 28 of 113
Encrypted: false
MD5: 25BD5E69AECDFE3F60C44CD53A8EDA61
SHA1: 3190786C9D33AA6B490DCF0AC2B4142EA24C9815
SHA-256: 02845FA8814F3992A4E487F72EF6635391915EA40D7D66C0436D63911B66B1DA
SHA-512: 018D3ADD21416453631A6FE9DA2D09C7A1A5B0A24A3CD9D1D0230F27126A3F491CB11508BFDBE60AB16FA85AD8DA442A7BCA08272299F69CE887EBAEE1ACBCB1
Malicious: false
Preview:MDMP....... ........9.^...................?...........B.......T......GenuineIntel............T.......(....7.^....C........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDF9.tmp.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE405.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8304
Entropy (8bit): 3.701059264551976
Encrypted: false
MD5: A52AF39EA9A347750D34D791BA1F224E
SHA1: 3E49AFE9989891064CFC9BF880D6781BFE9AA689
SHA-256: 0205513563B5DCFF1D21EA4183C03659E8BF565E993864477E1CD11911D809B8
SHA-512: 599CBFF8075D16EE32C861A143D51ADEE364C37D1C6DD80FB6A6E79D4445EF7173C940273E37D4F7E3BF80D519DC074A77379FF7BF78DDE5D33AC0FE25BDB0DA
Malicious: false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE474.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.460945528051079
Encrypted: false
MD5: DEC34DFAF81F014553AE0740AA3E1FE3
SHA1: B7A4E111CC65EBBB40238E091A13E0E8CB1FA297
SHA-256: 67CCD1162156C2652C155D90B945559F35ED7C2E01FE4E9D76D4BC01F9E6C0A4
SHA-512: 17CAC7EBAE1506BEAC1BE634FA4AE71596617DE1D84CEAB6AA3E75840CFC129A89DA6B1CB2FD43B6C9EB9F8D6CD1EAD8D42E45E5076F2EDAF6F6025E85259AB0
Malicious: false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010482" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF53B.tmp.dmpProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: Mini DuMP crash report, 15 streams, Sat Jun 13 02:25:37 2020, 0x1205a4 type
Size (bytes): 309675
Entropy (8bit): 2.3372226677468286
Encrypted: false
MD5: 3658D122B684FA01BCAB0DC290AE3BB3
SHA1: DA3A6C45ADE626A42E2D0C69D8B0A0F93617950F
SHA-256: 0526E2570AF20D3179BDC790A1A0BF57DFD3B83BCBFBFBE2FE87BFA8D211DD52
SHA-512: C000C3BAAFD396AACF8C5C143E9646980DC07E1F28FFAFEB42A72F655FE16E8BD3D74679FEAB79DDADC76A82B005B9DCA26D90E8B9EAA7270B572875A0984305
Malicious: false
Preview:MDMP....... .......!9.^...................?...........B......|T......GenuineIntel............T.......(....7.^....C........................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
Copyright null 2020 Page 29 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB46.tmp.WERInternalMetadata.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes): 8304
Entropy (8bit): 3.7001585034126356
Encrypted: false
MD5: F111EA90A1D2085794A9CF670418637B
SHA1: 4984BB4FAA3B1622B358FDD14F0F0180EFC76A25
SHA-256: BF92359668B2BD62893E813CFD3542006B9B0E43CCA1EACD89C3D8DF4DED7476
SHA-512: 3A397D5261AB9D807B0B8B8BDE50D23ADDCFBC76AD9CA343D904D06E5A24E7AC39B8E0C6DA9E8E62CD64A510189F4A1CA9A97930CB6125F3D1E832B6EC724E6D
Malicious: false
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.1.6.<./.P.i.d.
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBD4.tmp.xmlProcess: C:\Windows\SysWOW64\WerFault.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 4574
Entropy (8bit): 4.462566083645905
Encrypted: false
MD5: 785A9076B48DF223C1CF0F35A7A51591
SHA1: BC28ED593E9BCC9E68A486A61AE1FC0ABE50DFF9
SHA-256: AA5C5E54C3984A122C5AD773178AF53AC498FFAFD901EBE6252E68946C6EB212
SHA-512: B09090329A8ABDAA38868DC4B7D3A3E77334257B2A177C14D120692AE81260F5D1AC5595114CB6D2ED92EFA3166ED71A4ECFC6C0E4A07A6566E43B4A0CF4C335
Malicious: false
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="165" />.. <arg nm="verqfe" val="165" />.. <arg nm="csdbld" val="165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1010482" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.165.17134.0-11.0.75" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="2048" /
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D7947CFB-C60D-4B09-B664-749490813E98Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Size (bytes): 126838
Entropy (8bit): 5.378290954662956
Encrypted: false
MD5: 2AADF15A15A3C3F513C4646C1F4F27BA
SHA1: 78A6E78F1005CA6246D27A0B20AF6BC79D9364AF
SHA-256: 13A606DDB35F1FD46D21FE15E665A5DD65FD5A22BAADCBF3E543CB0839599BF6
SHA-512: D852D036DEC8073A1C5AFA5280E991E36706F839548A0162028AD4FA48A12279C63EC34935D6CFF034EB4B29789DA741D90C6FEAB3C7158747D0D2C46849EE33
Malicious: false
Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2020-06-12T17:20:20">.. Build: 16.0.13011.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: XML 1.0 document, ASCII text, with very long lines, with no line terminators
Size (bytes): 412027
Entropy (8bit): 5.105190603444391
Encrypted: false
MD5: 5F2A0C5CE21462BA3620A02E887FE38F
SHA1: F55BE2197E8A76192D29AE68D0E25BAD8BF144E1
SHA-256: F1E6977EE28764F50918828603EBD1CE27A4151349DEB6099C269447D950DB57
SHA-512: D7582E9DFE8461C428C922000C8A5B287CD4D4F484353A65242779B04BA9D2B4DFA0A528F4FC3AD60FFA0E57BD2835D5A6ECBDFD5C68E0CCAA7F9863DF1E5C0D
Malicious: false
Copyright null 2020 Page 30 of 113
Preview:<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2" F="Warning" /></C><C
C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.dbProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: SQLite 3.x database, last written using SQLite version 3019003
Size (bytes): 4096
Entropy (8bit): 0.09237477444559435
Encrypted: false
MD5: 1A9A28416CE9CCB568FC28191B8B1267
SHA1: 49BD37DCB1210C3DCDACE52393537FA0197EC14F
SHA-256: 9B8EC34DF5486C537505C5B582CD27519C114BE8EB58098E1C6F7DCCDF63C617
SHA-512: 516998D8F0639272541EF5DFE99EF0B73281F320CB6014AEDF96E5D415DA301CED8E1ADF38A7514D3279BE9B850A2C3F8D21A385C03F520351AAAF4FD693AABA
Malicious: false
Preview:SQLite format 3......@ ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-journalProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: data
Size (bytes): 524
Entropy (8bit): 0.27937671757176796
Encrypted: false
MD5: AC08C0E81B904E70EC950FB92768DE7F
SHA1: 59F21CC1D1A29C912D018A9498E11FEB06C25147
SHA-256: 4BD908B049D327AE0B701AD4FC4073F25D40AD7561DCB94FCA6AB7493B6DD133
SHA-512: 8EC7FB446540FACAC50A50042204FC9426991B3C2F6B4DC9BB5F01B0E7B94DCE18A0A0B49E62CF7588DF50C9D4BB6B484D88A758D0B9B62E1B4B918811EA0966
Malicious: false
Preview:..............D.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .c.....
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-walProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: SQLite Write-Ahead Log, version 3007000
Size (bytes): 37112
Entropy (8bit): 0.40359483868295926
Encrypted: false
MD5: BE3C5334BC6285390DDAF76FAC5E0FCA
SHA1: 55A95874F4665E7615D1BA374F91202B3A9DCF89
SHA-256: 415EE184E54DEE2E17D3B28E8C09410B6DCE1A31B9CFD40F617EE550D1F9E62D
SHA-512: 5957FAEDD78C2ED434621211343D8D0371FC83F690EE6743981CD8359E62C9B5569BC0308197AB08356BDB2B3E8516BE136626927C96A3E2B313176AA67507E1
Malicious: false
Preview:7....-..........}4]..!J2.D7..v0A........}4]..!J2....]>.SQLite format 3......@ ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.sessionProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: SQLite 3.x database, last written using SQLite version 3019003
Size (bytes): 61440
Entropy (8bit): 0.45328312377601476
Encrypted: false
MD5: 5F578D197E0D9CD8843141450FE84D92
SHA1: 58F2614CEEDDFE6CFFF25B8C163F273217CFB6DE
SHA-256: 86A52BBF55F5C59A047FA2CB6961B7752576E7A8D89FC15B3ADCDCE3F925498E
Copyright null 2020 Page 31 of 113
SHA-512: 6A65FD044CBF4BD1B5C036DDC510D61FD5A2A253A0611FDE7C842160FB4AB77E48D311296706D8B3BF79B7DC1624E9296284A4E1A3A3D4C8772B930CAD5D0739
Malicious: false
Preview:SQLite format 3......@ ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session
C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session-journalProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: data
Size (bytes): 44184
Entropy (8bit): 0.4738238003283008
Encrypted: false
MD5: DDAE83AEC605F9F6BEB3C27EEC78947D
SHA1: C0D0CC007271827F63C91772CF6B6D7509596E99
SHA-256: BC8B3F791FBA0B94B4BB318842CBC3A1C700751F167D3D691C3A99E33B568522
SHA-512: 94A8E5F2F902BF90D2F77859700F391CEDFC888465BAC55407FE0A7687D026B8BECEF94C5C4C354089722E13BE5B8D249C5A405F1A6493EA77B7C9051EF155D6
Malicious: false
Preview:.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .c................."...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2C5A9E27.emfProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: Windows Enhanced Metafile (EMF) image data version 0x10000
Size (bytes): 700
Entropy (8bit): 3.5728396480428266
Encrypted: false
MD5: 6764DFB59D65C635348B642501433F00
SHA1: 41B87DED8F8A8D8F428B53A6E0D78728C4E6E910
SHA-256: 3D77BAF710A0E6A07A82DA0B8D66E390CB9FFF612A44746BB914412D5BA1F351
SHA-512: FD80242A15CC9B6B2F8150D114C1F36AB26CDD4528FE37024A21FCF141DEF2449D53D27FB4477767DA358E090631F82722A79D0E9DB1A54A89F797CEF6C687EA
Malicious: false
Preview:....l.......A...w...`...............F... EMF.............................................................:..............................l...R...p...................................S.e.g.o.e. .U.I....................................................w........ .>m...........w....O.f.f.i.c.e.1.6................. .>m....j6.s.......................w...w(...'5.s............85.s...wl... ..w.rvd...............l... ..w.rvd.h..PIiv........8.kv.....h......0...t.bv..kvh...0....h..........4.......Z..w(.......dv......%...................................T...|.......A...w...`..........A...AC...A.......L.......................\...b.a.s.e.c.a.m.p.................................%...............................
C:\Users\user\AppData\Local\Temp\D7F30000Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: data
Size (bytes): 517408
Entropy (8bit): 7.984073015353868
Encrypted: false
MD5: 21226B3FBF86BAFBD10F4A7EF403BB23
SHA1: F715994D120AD94287C555404367D77FB7AE0AC2
SHA-256: C4722B66FC56A9BD5F79FD54CDE6ED0D0E9958DA5ADF6B3607CDD724741A88FE
SHA-512: 476409AA42EAA980FC1D76EF14DA023A153FE84FFEDDA371A28E640501F630344E6F71281B1F9A39D343584A7E836ACB877BECA63073C86AC228572146C5C928
Malicious: false
Preview:.U.n.0....?......."..C.c. ....Hb......C...@.`..-$.7+..[....T..l^.X..qR.f./.._V`.V..,.l...?.,^v.. k.5.c.W.c..X9..vZ.....:.E........8...2&..\.B+.u,..W.R..7.s..f.{...I(.X...tm....y7.].. $......E...b$..AN0.7Ne..m.v.m...m...E...v.]E..}.._..#....;...."u. Q.'8.{...JB.$B|..R.....^9..N.......e?.s.?.F._...I.e....Z.x~N..aF.1.4..A.{.@>Gj........!.E...1=....^0+.i."w..Wo..y5u.}A.&.*v..O.y.q.....N.d]z....|...4.'[email protected]..........!.K...............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exdProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: data
Size (bytes): 170164
Entropy (8bit): 4.364817585804397
Encrypted: false
MD5: 2D6B8C9DC5B3002CDFD1F737E35D46B3
SHA1: E07FBDF5EF10FD1A8450082F6B0DA8BFBFB2DBB2
SHA-256: D6C7212CA3BD545DD443805C69DEF03BC314ADE5A78AC138CA6B0B1DC0FE69C1
Copyright null 2020 Page 32 of 113
SHA-512: BB1C92E130C861393A14D5CA979E314290DC95447BF35E029177EA5FA85B0C8C11EAF5D0AA21473989DF3131D74C829C32694877D972F2F5E2B884393AE4FDBB
Malicious: false
Preview:MSFT................Q................................$......$....... ...................d.......,...........X....... [email protected]...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. [email protected]:...:...:..`;...;..(<...<...<..T=...=...>...>...>[email protected]@...@..<A...A...B..hB.......l...B..........................$................................................ ...............................x...I..............T........................................... ...................................................
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
C:\Users\user\AppData\Local\Temp\VBF56F.tmpProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: ASCII text, with CRLF line terminators
Size (bytes): 219
Entropy (8bit): 4.897118736106247
Encrypted: false
MD5: 3D7B679B71B104672291A34AE53669EF
SHA1: C2A27D136EA6975945B17D345BA0A8E4429969D4
SHA-256: 907A8D493BC7BE3FC02C5F29BFE1722003A783BC90AE96D952273B245A48E73E
SHA-512: D3E4112508EC9DE52479CB48E7767B2E7E09EF929AE940CF89318E6383AF858CC25A2A7C7534E547F3DF1150F8F92D84DBE783B80E0152C06BC19A3EA49D317C
Malicious: false
Preview:VERSION 1.0 CLASS..BEGIN.. MultiUse = -1 'True..END..Attribute VB_Name = "Page11"..Attribute VB_GlobalNameSpace = False..Attribute VB_Creatable = False..Attribute VB_PredeclaredId = True..Attribute VB_Exposed = True..
C:\Users\user\AppData\Local\Temp\basecamp
Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: COM executable for DOS
Size (bytes): 614710
Entropy (8bit): 5.739042908207294
Encrypted: false
MD5: AA1B21A3949E90471A7337DD4C9EE635
SHA1: 5D3984441EFA32A195D0B89C671C6D7CCA00375C
SHA-256: 88DB87DE2E37B1C6D285FE273CF71A5A3C5AAFC3D388F0215AA2C1F05D2BBA74
SHA-512: 5B76C0D12CFE34D3D3334E0BAC9979A3E9C58235D62518839FFF03BDCF762CAE2284CD2DD4341EE47FAE39C4D2536BBC8373CE533FB8128B5D0626996F478BD7
Malicious: false
Antivirus: Antivirus: Virustotal, Detection: 3%, Browse
Preview:..................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.<...R...R...R.".....R.".P...R.Rich..R.........PE..d.....*X.........." .........................................................0............`.......................................................... ...............................................................................................................rdata..p...........................@[email protected]........ ......................@..@......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\basecamp:Zone.IdentifierProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.95006375643621
Encrypted: false
MD5: FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1: D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256: EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512: AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious: false
Preview:[ZoneTransfer]..ZoneId=3..
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zipProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: Microsoft Excel 2007+
Size (bytes): 517408
Entropy (8bit): 7.984073015353868
Encrypted: false
MD5: 485EF3692496DDD78AADFF969A93D68F
SHA1: 8A89505B410B6FCC8FBBDCCBA501AB60A0DFB005
SHA-256: 8361BD5713D53F0AD1DD607B0281A5AE9BB529F4CD30625591718A8B0C05AC38
SHA-512: B773D4EBD2552DB8B4934EF4B4B526183F9BDC211C37FEC88442821006086BFEA79C74908339D30D9C9D735EDB4D27FD823174F50284DD6ACB6CCE7C794C3778
Copyright null 2020 Page 33 of 113
Static File Info
General
Malicious: false
Preview:PK..........!.K...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0....?......."..C.c. ....Hb......C...@.`..-$.7+..[....T..l^.X..qR.f./.._V`.V..,.l...?.,^v.. k.5.c.W.c..X9..vZ.....:.E........8...2&..\.B+.u,..W.R..7.s..f.{...I(.X...tm....y7.].. $......E...b$..AN0.7Ne..m.v.m...m...E...v.]E..}.._..#....;...."u. Q.'8.{...JB.$B|..R.....^9..N.......e?.s.?.F._...I.e....Z.x~N..aF.1.4..A.{.@>Gj........!.E...1=....^0+.i."w..Wo..y5u.}A.&.*v..O.y.q.....N.d]z....|...4.'[email protected]
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip
C:\Users\user\AppData\Local\Temp\oleObject1.bin
Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: Composite Document File V2 Document, Cannot read section info
Size (bytes): 622592
Entropy (8bit): 5.725556420766676
Encrypted: false
MD5: C6B2A34B8082F73B3AD04BD2029A1A35
SHA1: 187514B18F23AF582BCEFFE257D4469DE727B02A
SHA-256: 67A242A5DB23BFD7192D94D3C2882C02F196C8E432F6A5B6DE525A1274830C37
SHA-512: 88420FCF4A5EB9B9F4FBCFE40385D7F7C6C11A2580372D345CD6B1CE4EAA0A2696666AD4D3D66BE4CD0486356C4D7DF30BD81D500C997A46D4BF1D1842422C59
Malicious: true
Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
C:\Users\user\AppData\Local\Temp\~$funduct.xlsxProcess: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: data
Size (bytes): 165
Entropy (8bit): 1.4134958568691696
Encrypted: false
MD5: EC44A10D4853F1CFFE7BBDA771AEE4D8
SHA1: 895FCC3C3C58D771A8DBDB804D74B878AE167DE4
SHA-256: 269F81E30F3F32118FD912EFC6DDD81B27D197E4CA23D6FAD8BD7E9848FC37BE
SHA-512: AFC14523F0E2975749AC1DAA3CE3C68FE1CAADDC16AFE67042D605F6A61ED250E538457F458A4EE153334C9E1EA8F7C13A6CA8CA6B264A0BD373E60264F90482
Malicious: false
Preview:.user ..G.u.c.c.i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\libOmio.dll
Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Size (bytes): 285696
Entropy (8bit): 5.674502735022164
Encrypted: false
MD5: 83B02E12A48B092F91788D7C253DD1C2
SHA1: ACF4E3C3FD1772C7D4EBEC32B38D018CCE4E9707
SHA-256: E35B9FEACFBA1DF802F9ED242775361F4317C22782F4E9E2DDDD095577A72487
SHA-512: 2346555B01A3F5DA162DCE7A8091E304A207965F1AD6D956E6FC0DE1AD457C1BEA0EE0B7FCBA53FDC0155C021BBA53213F585932C59D1A09B0C429E0E190318F
Malicious: true
Antivirus: Antivirus: Virustotal, Detection: 32%, BrowseAntivirus: ReversingLabs, Detection: 25%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.0.r.^.r.^.r.^...U.s.^...T.e.^..P.x.^.{..p.^.....q.^.r._.:.^.{..s.^.{..s.^.{..s.^.Richr.^.........................PE..L...P..Z...........!.....J...D......0........`.......................................................................k..H...<e..<.......................................@[email protected].......................`..(............................text...TI.......J.................. ..`.rdata.......`.......N..............@[email protected]... [email protected]....,[email protected][email protected]................................................................................................................................................................................................................................................................................................................
Copyright null 2020 Page 34 of 113
File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: tUOO, Subject: YaVMj, Author: OPVJMX, Last Saved By: Administrator, Revision Number: 365, Name of Creating Application: Microsoft Excel, Total Editing Time: 16:37:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Wed Jun 10 15:08:07 2020, Number of Pages: 1, Number of Words: 4330, Number of Characters: 9615, Security: 0
Entropy (8bit): 6.087815742592478
TrID: Microsoft Windows Installer (77509/1) 55.35%Microsoft Excel sheet (30009/1) 21.43%Microsoft Excel sheet (alternate) (24509/1) 17.50%Generic OLE2 / Multistream Compound File (8008/1) 5.72%
File name: PD_669 10971.xls
File size: 827392
MD5: e01daa23055e3ed64b745e50214b7a79
SHA1: 5a72024f11fe97713235209b2ca5a3faff30a1a0
SHA256: 7bafb9938c0694ba42a9a3ac10322418c39e9783da5772390132552efd7227e6
SHA512: 6c7359aaf612cca9e4f3b619bf76595e59705480ca1d064ac7229dac49f6a5cc4f52103ba0949504962b6e545e05e22025179f7a50ee913073dc607ba6fa987e
SSDEEP: 12288:9QWgDUAWheFf77t2RxdMgDgrUsIGLcS19wTVFU6XRuD+yaCr6bszHl:9QzpWheN7tqgrUGLcSKVFU6hBI6bkH
File Content Preview: ........................>...............................................................................................a......................................................................................................................................
General
File Icon
Icon Hash: 74ecd4c6c3c6c4d8
GeneralDocument Type: OLE
Number of OLE Files: 1
IndicatorsHas Summary Info: True
Application Name: Microsoft Excel
Encrypted Document: False
Contains Word Document Stream: False
Contains Workbook/Book Stream: True
Contains PowerPoint Document Stream: False
Contains Visio Document Stream: False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros: True
SummaryCode Page: 1252
Title: tUOO
Subject: YaVMj
Author: OPVJMX
Last Saved By: Administrator
Revion Number: 365
Total Edit Time: 59820
Create Time: 2019-08-30 09:14:50
Last Saved Time: 2020-06-10 14:08:07
Number of Pages: 1
Number of Words: 4330
Static OLE Info
OLE File "PD_669 10971.xls"
Copyright null 2020 Page 35 of 113
Number of Characters: 9615
Creating Application: Microsoft Excel
Security: 0
Summary
Document SummaryDocument Code Page: 1252
Number of Bytes: 10037
Number of Lines: 775
Number of Paragraphs: 50
Thumbnail Scaling Desired: False
Company:
Contains Dirty Links: False
Shared Document: False
Changed Hyperlinks: False
Application Version: 1048576
General
Stream Path: _VBA_PROJECT_CUR/VBA/CarClass
VBA File Name: CarClass.cls
Stream Size: 2504
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 00 f0 00 00 00 14 05 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 1b 05 00 00 af 07 00 00 00 00 00 00 01 00 00 00 d6 53 fe 0a 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
String)
VB_Name
VB_Creatable
VB_Exposed
car.SpecialFolders(""
"CarClass"
CheckCar
Integer)
Public
vSpeed
LicensePlate
vLicensePlate
String
'Raise
error
LicensePlate(lp
VB_Customizable
Integer
SpecialFolders()
Err.Raise
Drive)
Drive
Speed(sp
Len(lp)
Application.WorksheetFunction.Min(sp,
VB_TemplateDerived
Property
Application.WorksheetFunction.Max(vSpeed,
(xlErrValue)
CheckCar(car
False
Streams with VBA
VBA File Name: CarClass.cls, Stream Size: 2504
VBA Code Keywords
Copyright null 2020 Page 36 of 113
VBA Code
Speed()
Attribute
Object,
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
Speed
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/Module0
VBA File Name: Module0.bas
Stream Size: 683
Data ASCII: . . . . . . . . . $ . . . . . . . . . . . . . . . + . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 01 f0 00 00 00 24 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 2b 02 00 00 7f 02 00 00 00 00 00 00 01 00 00 00 d6 53 df 07 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Keyword
Attribute
VB_Name
General
Stream Path: _VBA_PROJECT_CUR/VBA/Module1
VBA File Name: Module1.bas
Stream Size: 4935
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . S P " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 01 f0 00 00 00 dc 05 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e3 05 00 00 53 0f 00 00 00 00 00 00 01 00 00 00 d6 53 50 22 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
#Else
Const
Variant
errorhand
Public
Resume
GetP.aram
sT(ii)
False
String)
sPath
String
sNextChar
errorhand:
VBA File Name: Module0.bas, Stream Size: 683
VBA Code Keywords
VBA File Name: Module1.bas, Stream Size: 4935
VBA Code Keywords
Copyright null 2020 Page 37 of 113
VBA Code
GetParam(Count
PathBack(ByVal
Len(Comma.nd$)
tooolsetChunkI
Declaration()
tooolsetChunkQ
ElseIf
Command$
Integer)
ALen.B(sCommand)
PrepareConfigForOutput()
Integer
Count
Error
Attribute
sCommand
Mid(sCommand,
abbrev
VB_Name
tooolsetChunkIParameter
Mi.d$(Comma.nd$,
PathB.ack
Path.Back
FlagDouble
UBound(sT)
Len(sPath)
Boolean
PrepareConfigForOutput
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/Module2
VBA File Name: Module2.bas
Stream Size: 9174
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . S G C . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . S e t W i n d o w L o n g A . . . . . . 8 . . . . . . . . . . . . . . . F i n d W i n d o w A . . .. . X . . . $ . . . . . . . . . . . D r a w M e n u B a r . . . . . x . . . D . . . . . . . . . . . G e t W i n d o w L o n g A . . . . . . . . . . d . . . . . . . . . . . G e t W i n d o w L o n g A . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 03 00 02 00 00 f4 0c 00 00 e4 01 00 00 c0 02 00 00 ff ff ff ff 23 0d 00 00 af 1b 00 00 00 00 00 00 01 00 00 00 d6 53 47 43 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 10 01 00 00 00 00 b6 02 14 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 53 65 74 57 69 6e 64 6f 77 4c 6f 6e 67 41 00 00 00 00 b6 02 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 69 6e 64 57
Keyword
#Else
VistaQ
Const
ctackPip
lpClassName
Width
ColRange
Byte)
CurrentSizeOfAT,
Public
WS_SYSMENU
Resume
Long)
ByVal
sendings
VBA File Name: Module2.bas, Stream Size: 9174
VBA Code Keywords
Copyright null 2020 Page 38 of 113
ThirdB
sNMSP.Namespace(ctackPip)
PtrSafe
Declare
"FindWindowA"
ChDir
False
ms.gR.esult
VistaQ(WhereToGo)
ctackPop
""",""pipk"",""J"")"
String,
ErrorTrap:
String)
result
SecondB
Join(Array(dershlep,
sNMSP.Namespace(dershlep)
GetFlexGridColFromXPos
String
ColumnRangeWidth
Integer,
ctackPop,
ctackPup
dershlep
Shell
DrawMenuBar
"\funduct.xlsx"),
.Cols
Alias
ctackPip,
WhereToGo,
Single)
sNMSP
DerTip()
#LongData,
nIndex
dwNewLong
ColumnWidth
WS_CAPTION
ctackPup,
(ByVal
NumberBuffer(LongData
ByteData
ColumnWidth(ByVal
lAccWidth
GWL_STYLE
PublicResumEraseByArrayList
Integer
FirstB
Long,
ActiveWorkbook.SaveAs
Application.DisplayAlerts
Error
"GetWindowLongA"
TheGrid
ofbl,
Attribute
CurrentSizeOfAT
MsgBox(result
FileWherePutTo
"\libOmio.dll"
"SetWindowLongA"
.ColWidth(i)
Keyword
Copyright null 2020 Page 39 of 113
VBA Code
VB_Name
"LL("""
Composition
Function
ThisWorkbook.Sheets.Copy
GetFlexGridColFromXPos(TheGrid,
ErrorTrap
FileCopy
RCPN_D_FMOD_OK
ERRCHECK(result)
ColumnRangeWidth(ByVal
DoEvents
lpWindowName
ErrorHandler
FlagDouble
BoxWSL
Context
Local:=False,
PrepareForm.Enabled
ActiveWorkbook.Close
Private
ErrorHandler:
Boolean
PrepareConfigForOutput
Keyword
General
Stream Path: _VBA_PROJECT_CUR/VBA/Module4
VBA File Name: Module4.bas
Stream Size: 2564
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . S v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 01 f0 00 00 00 fc 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 03 03 00 00 37 08 00 00 00 00 00 00 01 00 00 00 d6 53 76 a4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Keyword
VB_Name
Integer)
Public
String
GetP.aram
tooolsetChunkQ
Integer
GetParam(Count
Count
Mi.d$(Comma.nd$,
ElseIf
Len(Comma.nd$)
False
Attribute
tooolsetChunkI
Boolean
VBA File Name: Module4.bas, Stream Size: 2564
VBA Code Keywords
Copyright null 2020 Page 40 of 113
General
Stream Path: _VBA_PROJECT_CUR/VBA/Module5
VBA File Name: Module5.bas
Stream Size: 4120
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . S . R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 01 f0 00 00 00 8c 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 93 04 00 00 37 0c 00 00 00 00 00 00 01 00 00 00 d6 53 84 52 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Keyword
PublicResumEraseByArrayList(ParamArray
Access
windowHandle,
Public
Resume
Long,
ThirdB
FreeFile
putArrayBigList()
UBound(Declaration)
frm.Caption)
windowStyle
String,
GWL_STYLE,
GWL_STYLE)
WS_SYSMENU)
ReDim
putArrayBigList
DrawMenuBar
windowHandle
Boolean)
Binary
Integer)
Integer
(windowStyle
FirstB
Declaration(i)
Error
Attribute
Close
NumberBuffer
SimpleMethod
VB_Name
Write
SecondB
(windowHandle)
KeyPropUpdate(frm
BoxWSL
Declaration(k)
Variant)
PrepareForm.Enabled
Object,
While
abbrev
LBound(Declaration)
VBA File Name: Module5.bas, Stream Size: 4120
VBA Code Keywords
Copyright null 2020 Page 41 of 113
General
Stream Path: _VBA_PROJECT_CUR/VBA/Page1
VBA File Name: Page1.cls
Stream Size: 977
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 d6 53 a1 ee 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
General
Stream Path: _VBA_PROJECT_CUR/VBA/Page11
VBA File Name: Page11.cls
Stream Size: 977
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . Q . . . . # . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 d6 53 f4 51 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
General
Stream Path: _VBA_PROJECT_CUR/VBA/PrepareForm
VBA File Name: Page1.cls, Stream Size: 977
VBA Code Keywords
VBA File Name: Page11.cls, Stream Size: 977
VBA Code Keywords
VBA File Name: PrepareForm.frm, Stream Size: 1650
Copyright null 2020 Page 42 of 113
VBA File Name: PrepareForm.frm
Stream Size: 1650
Data ASCII: . . . . . . . . . . . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 00 f0 00 00 00 c0 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff c7 03 00 00 13 05 00 00 00 00 00 00 01 00 00 00 d6 53 b9 10 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
General
VBA Code
Keyword
VB_Name
VB_Creatable
VB_Exposed
UserForm_Activate()
KeyPropUpdate(Me,
VB_Customizable
DerTip
DoEvents
False)
"PrepareForm"
UserForm_Initialize()
VB_TemplateDerived
False
Attribute
Private
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
General
Stream Path: _VBA_PROJECT_CUR/VBA/UserForm6
VBA File Name: UserForm6.frm
Stream Size: 1159
Data ASCII: . . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . S . V . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 d6 53 cb 56 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
False
VB_TemplateDerived
VBA Code Keywords
VBA File Name: UserForm6.frm, Stream Size: 1159
VBA Code Keywords
Copyright null 2020 Page 43 of 113
VBA Code
General
Stream Path: _VBA_PROJECT_CUR/VBA/one
VBA File Name: one.cls
Stream Size: 3051
Data ASCII: . . . . . . . . . , . . . . . . . ( . . . . . . . 5 . . . . . . . . . . . . . . . . S Z . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 01 16 01 00 00 f0 00 00 00 2c 04 00 00 d4 00 00 00 28 02 00 00 ff ff ff ff 35 04 00 00 01 09 00 00 00 00 00 00 01 00 00 00 d6 53 5a f2 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Keyword
PopulateDivineCommercial(dImmer
"one"
VB_Name
VB_Creatable
VB_Exposed
ActiveHotbit
Workbook_Activate()
Integer)
PrepareForm.show
Public
String
ActiveHotbit.ExpandEnvironmentStrings(PRP
PrepareForm.Visible
"Minor
health
ChDir
"Major
VB_Customizable
car.CheckCar(ActiveHotbit,
GetInfirmityLevelDescription
WshShell
CarClass
VB_TemplateDerived
disability"
False
problems"
Attribute
PopulateDivineCommercial
Private
SpecialPath
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
"Severe
Select
General
Stream Path: \x5DocumentSummaryInformation
File Type: data
VBA File Name: one.cls, Stream Size: 3051
VBA Code Keywords
Streams
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 292
Copyright null 2020 Page 44 of 113
Stream Size: 292
Entropy: 2.75053147878
Base64 Encoded: False
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . .. | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 5 ' . . . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . D o c u m e n t
Data Raw: fe ff 00 00 06 03 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 04 00 00 00 7c 00 00 00 05 00 00 00 84 00 00 00 06 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
General
General
Stream Path: \x5SummaryInformation
File Type: data
Stream Size: 352
Entropy: 3.57183035351
Base64 Encoded: False
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . 0 . . . . . . . . . . . x . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . . . t U O O . . . . . . . . . . . . Y a V M j . . . . . . . . . . . O P V JM X . . . . . . . . . . A d m i n i s t r a t o r . . . . . . . . . . .
Data Raw: fe ff 00 00 06 03 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 30 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 02 00 00 00 80 00 00 00 03 00 00 00 90 00 00 00 04 00 00 00 a0 00 00 00 08 00 00 00 b0 00 00 00 09 00 00 00 c8 00 00 00 12 00 00 00 d4 00 00 00 0a 00 00 00 ec 00 00 00 0c 00 00 00 f8 00 00 00
General
Stream Path: MBD0090C244/\x1CompObj
File Type: data
Stream Size: 76
Entropy: 3.09344952647
Base64 Encoded: False
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path: MBD0090C244/\x1Ole10Native
File Type: data
Stream Size: 614941
Entropy: 5.73916332785
Base64 Encoded: True
Data ASCII: . b . . . . b a s e c a m p . C : \\ 1 \\ b a s e c a m p . . . . . . . . . C : \\ U s e r s \\ A D M I N I ~ 1 \\ A p p D a t a \\ L o c a l \\ T e m p \\ b a s e c a m p . 6 a . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . Y . < . . . R . . . R . . . R . " . . . . . R . " . P . . . R . R i ch . . R . . . . . . . .
Data Raw: 19 62 09 00 02 00 62 61 73 65 63 61 6d 70 00 43 3a 5c 31 5c 62 61 73 65 63 61 6d 70 00 00 00 03 00 2e 00 00 00 43 3a 5c 55 73 65 72 73 5c 41 44 4d 49 4e 49 7e 31 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 62 61 73 65 63 61 6d 70 00 36 61 09 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path: Workbook
File Type: Applesoft BASIC program data, first line number 16
Stream Size: 135282
Entropy: 7.42676381875
Base64 Encoded: True
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 352
Stream Path: MBD0090C244/\x1CompObj, File Type: data, Stream Size: 76
Stream Path: MBD0090C244/\x1Ole10Native, File Type: data, Stream Size: 614941
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 135282
Copyright null 2020 Page 45 of 113
Data ASCII: . . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . A d m i n i s t r a t o r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . o n e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . =. . . . . . . . p . ' 8 . . . . . . . X . @ . . . . . . . . .
Data Raw: 09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 0d 00 00 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
General
General
Stream Path: _VBA_PROJECT_CUR/PROJECT
File Type: ASCII text, with CRLF line terminators
Stream Size: 944
Entropy: 5.23737769823
Base64 Encoded: True
Data ASCII: I D = " { B 5 A D 7 8 9 3 - 6 B 9 0 - 4 D B 9 - A 1 F 3 - E 6 E C 2 7 1 F F A 5 3 } " . . D o c u m e n t = o n e / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = P a g e 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = P r e p a r e F o r m . . M o d u l e = M o d u l e 2 . . B a s e C l a s s = U s e r F o r m 6 . . D o c u m e n t = P a g e 1 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e =
Data Raw: 49 44 3d 22 7b 42 35 41 44 37 38 39 33 2d 36 42 39 30 2d 34 44 42 39 2d 41 31 46 33 2d 45 36 45 43 32 37 31 46 46 41 35 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 6f 6e 65 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 50 61 67 65 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46
General
Stream Path: _VBA_PROJECT_CUR/PROJECTwm
File Type: data
Stream Size: 266
Entropy: 3.36931619226
Base64 Encoded: False
Data ASCII: o n e . o . n . e . . . P a g e 1 . P . a . g . e . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . P r e p a r e F o r m . P . r . e . p . a . r . e . F . o . r . m . . . M o d u l e 2 . M . o . d . u . l . e . 2 . . . U s e r F o r m 6 . U . s . e . r . F . o . r . m . 6 . . . P a g e 1 1 . P . a . g . e . 1 . 1 . . . M o d u l e 5 . M .o . d . u . l . e . 5 . . . M o d u l e 4 . M . o . d . u . l . e . 4 . . . M o d u l e 0 . M . o . d . u . l . e . 0 . . . C a r C l a s s . C . a . r . C . l .
Data Raw: 6f 6e 65 00 6f 00 6e 00 65 00 00 00 50 61 67 65 31 00 50 00 61 00 67 00 65 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 50 72 65 70 61 72 65 46 6f 72 6d 00 50 00 72 00 65 00 70 00 61 00 72 00 65 00 46 00 6f 00 72 00 6d 00 00 00 4d 6f 64 75 6c 65 32 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 32 00 00 00 55 73 65 72 46 6f 72 6d 36 00 55 00 73 00
General
Stream Path: _VBA_PROJECT_CUR/PrepareForm/\x1CompObj
File Type: data
Stream Size: 97
Entropy: 3.61064918306
Base64 Encoded: False
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b ed d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/PrepareForm/\x3VBFrame
File Type: ASCII text, with CRLF line terminators
Stream Size: 311
Entropy: 4.66172829894
Base64 Encoded: True
Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 944
Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 266
Stream Path: _VBA_PROJECT_CUR/PrepareForm/\x1CompObj, File Type: data, Stream Size: 97
Stream Path: _VBA_PROJECT_CUR/PrepareForm/\x3VBFrame, File Type: ASCII text, with CRLF line terminators,Stream Size: 311
Copyright null 2020 Page 46 of 113
Data ASCII: V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } P r e p a r e F o r m . . C a p t i o n = " M i c r o s o f t O f f i c e C o m p o n e n t s " . . C l i e n t H e i g h t = 1 7 1 6 . . C l i e n t L e f t = 4 8 . . C l i e n t T o p = 3 8 4 . . C l i e n t W i d t h = 5 5 5 6 . . S t a r t U p P o s i t i
Data Raw: 56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 50 72 65 70 61 72 65 46 6f 72 6d 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 43 6f 6d 70 6f 6e 65 6e 74 73 22 0d 0a 20
General
General
Stream Path: _VBA_PROJECT_CUR/PrepareForm/f
File Type: data
Stream Size: 13229
Entropy: 7.80460024665
Base64 Encoded: True
Data ASCII: . . ( . . . 0 . . . . . . . . . . . . . . . . . . } . . X & . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . . P . . .T a h o m a . R . . . . . . . . . . . K . Q l t . . > 3 . . . . . . . . J F I F . . . . . ` . ` . . . . . Z E x i f . . M M . *. . . . . . . . . . . . . . . . . J . . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . .. . . . . . . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw: 00 04 28 00 08 0d 30 0e 01 00 00 00 01 00 ff ff ff ff 01 00 02 00 00 00 00 7d 00 00 58 26 00 00 e3 0b 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 ea 50 01 00 06 54 61 68 6f 6d 61 04 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 6c 74 00 00 3e 33 00 00 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff e1 00 5a 45 78 69
General
Stream Path: _VBA_PROJECT_CUR/PrepareForm/o
File Type: empty
Stream Size: 0
Entropy: 0.0
Base64 Encoded: False
Data ASCII:
Data Raw:
General
Stream Path: _VBA_PROJECT_CUR/UserForm6/\x1CompObj
File Type: data
Stream Size: 97
Entropy: 3.61064918306
Base64 Encoded: False
Data ASCII: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b ed d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path: _VBA_PROJECT_CUR/UserForm6/\x3VBFrame
File Type: ASCII text, with CRLF line terminators
Stream Size: 292
Entropy: 4.60789642864
Base64 Encoded: True
Data ASCII: V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 6 . . C a p t i o n = " U s e r F o r m 2 " . . C l i e n t H e i g h t = 3 0 1 2 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 8 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Stream Path: _VBA_PROJECT_CUR/PrepareForm/f, File Type: data, Stream Size: 13229
Stream Path: _VBA_PROJECT_CUR/PrepareForm/o, File Type: empty, Stream Size: 0
Stream Path: _VBA_PROJECT_CUR/UserForm6/\x1CompObj, File Type: data, Stream Size: 97
Stream Path: _VBA_PROJECT_CUR/UserForm6/\x3VBFrame, File Type: ASCII text, with CRLF line terminators,Stream Size: 292
Copyright null 2020 Page 47 of 113
Data Raw: 56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 36 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 32 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
General
General
Stream Path: _VBA_PROJECT_CUR/UserForm6/f
File Type: data
Stream Size: 395
Entropy: 4.58734814197
Base64 Encoded: False
Data ASCII: . . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . . P . . . T a h om a . . . . . . 8 . . . . . . e . . , . . . . . . . . . . . . . . . . . 4 . . . . . . . T e x t B o x 1 T E M P { . . . " . . . . . 4 . . . . . . . . . . . . . . . . . H . . . . . . . T e x t B o x 3 T e m p l a t e s . i . { . . . . . . . . . < . . . . . . . . . .. . . . . . . 2 . . . 8 . . . . . . . L a b e l 1 x 3 \\ o l e O b j e c t 1 . b i n . ] . . . . . . . .
Data Raw: 00 04 24 00 08 0c 10 0c 05 00 00 00 ff ff 00 00 07 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 ea 50 01 00 06 54 61 68 6f 6d 61 00 00 05 00 00 00 38 01 00 00 00 85 01 65 00 00 2c 00 e7 01 00 00 08 00 00 80 04 00 00 80 01 00 00 00 34 00 00 00 00 00 17 00 54 65 78 74 42 6f 78 31 54 45 4d 50 7b
General
Stream Path: _VBA_PROJECT_CUR/UserForm6/o
File Type: data
Stream Size: 292
Entropy: 3.77420228611
Base64 Encoded: False
Data ASCII: . . . . . . . . . . . . . H . , . . . . { . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . . . @ . . . . . . H . , .. . . . . . . { . . . \\ o l e O b j e c t * . b i n . . . . . 5 . . . . . . . . . . . . . . . T a h o m a v . . . . . ( . . . . . . .L a b e l 1 . . . . . . { . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a v . . . . . ( . . . . . . . L a b e l 2 . . . . .. { . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a v . . . . . A . . . . . . . . H . , . . . .
Data Raw: 00 02 14 00 01 01 00 80 00 00 00 00 1b 48 80 2c ec 09 00 00 7b 02 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 00 02 00 00 54 61 68 6f 6d 61 00 00 00 02 28 00 01 01 40 80 00 00 00 00 1b 48 80 2c 0f 00 00 80 ec 09 00 00 7b 02 00 00 5c 6f 6c 65 4f 62 6a 65 63 74 2a 2e 62 69 6e 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 00 02 00 00 54 61 68 6f 6d 61 76 11 00 02 18 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type: data
Stream Size: 7159
Entropy: 5.13142655621
Base64 Encoded: True
Data ASCII: . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 .0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . ..
Data Raw: cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 07 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0
File Type: data
Stream Size: 2529
Entropy: 4.3094793837
Base64 Encoded: False
Data ASCII: . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . .. . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ W . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . F . . . . . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stream Path: _VBA_PROJECT_CUR/UserForm6/f, File Type: data, Stream Size: 395
Stream Path: _VBA_PROJECT_CUR/UserForm6/o, File Type: data, Stream Size: 292
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 7159
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2529
Copyright null 2020 Page 48 of 113
Data Raw: 93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 04 00 06 00 04 00 06 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 03 00 00 7e 03 00 00 7e 03 00 00 7e 03 00 00 7e
General
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1
File Type: data
Stream Size: 335
Entropy: 3.97044139223
Base64 Encoded: False
Data ASCII: r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . p a r a m e t e r 1 . . . . . . . . n I n d e x . . . . . . . . d w N e w L o ng . . . . . . . . l p C l a s s N a m e . . . . . . . . l p W i n d o w N a m e . . . . . . . . L o n g D a t a . . . .. . . . C o n t e x t . . . . . . . . B y t e D a t a . . . . . . . . C o l R a n g e . . . . . . . . W i d
Data Raw: 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 08 0a 00 00 00 70 61 72 61 6d 65 74 65 72 31 02 00 00 08 06 00 00 00 6e 49 6e 64 65 78 03 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4
File Type: data
Stream Size: 160
Entropy: 2.40515850022
Base64 Encoded: False
Data ASCII: r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M . . . . . . .
Data Raw: 72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 05 00 08 00 00 00 00 00 04 00 04 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 04 00 00 12 04 00 04 00 00 12 05 00 04 00 00 12 06 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5
File Type: data
Stream Size: 656
Entropy: 2.59644877473
Base64 Encoded: False
Data ASCII: r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . p . . . . . . . . .. . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . Q . . . . . . . $ . . p . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . D . . p . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . , . . . . . . .. . d . . p . . . . . . . . . . . . . . . . . . a . . . . . .
Data Raw: 72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 30 00 a1 0a 00 00 00 00 00 00 00 00 00 70 0c 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 61 00 00 00 00 00 01 00 81 00 00 00 00 00 01 00 99 00 00 00 00 00 01 00 00 00 00 00 08 08 08 08 2c 00 51 0b 00 00 00 00 00 00 24 00
General
Stream Path: _VBA_PROJECT_CUR/VBA/dir
File Type: data
Stream Size: 1327
Entropy: 6.74004010091
Base64 Encoded: True
Data ASCII: . + . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r .. . . . . . . . . . . ` . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 02 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw: 01 2b b5 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 1a 05 cc 60 03 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 335
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 160
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 656
Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1327
Copyright null 2020 Page 49 of 113
No network behavior found
Code Manipulations
Statistics
Behavior
• EXCEL.EXE
• splwow64.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
• WerFault.exe
Click to jump to process
System Behavior
Network Behavior
File ActivitiesFile Activities
Start time: 19:20:17
Start date: 12/06/2020
Path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit): true
Commandline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding
Imagebase: 0xc00000
File size: 43854104 bytes
MD5 hash: D672D26C85AEB9536B9736BF04054969
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
Analysis Process: EXCEL.EXE PID: 5416 Parent PID: 700Analysis Process: EXCEL.EXE PID: 5416 Parent PID: 700
General
File CreatedFile Created
Copyright null 2020 Page 50 of 113
C:\Users\user\AppData\Local\Temp\~DF96F62741B1105DFF.TMP read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 6663C70C unknown
C:\Users\user\AppData\Local\Temp\~DF6F63366EF1BEDEB2.TMP read attributes | delete | synchronize | generic read | generic write
device synchronous io non alert | non directory file | delete on close
success or wait 1 66697025 unknown
C:\Users\user\AppData\Local\Temp\VBE read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 667270E2 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\~DF28BAD242C80A9E72.TMP read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 66698077 unknown
C:\Users\user\Application Data\Microsoft\Forms read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 6666FA9F unknown
C:\Users\user\Application Data\Microsoft\Forms\EXCEL.box read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 6666FA9F unknown
C:\Users\user\AppData\Local\Temp\~DFB1F25718C2A44535.TMP read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 6666FA9F unknown
C:\Users\user\AppData\Local\Temp\~DF7D1BCCAB7E85B45D.TMP read attributes | delete | synchronize | generic read | generic write
device synchronous io non alert | non directory file | delete on close
success or wait 1 6666FA9F unknown
C:\Users\user\AppData\Local\Temp\~DFC7652D5B14C9A437.TMP read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 66698077 unknown
C:\Users\user\AppData\Local\Temp\VBF56E.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 6678A0F4 GetTempFileNameA
C:\Users\user\AppData\Local\Temp\VBF56F.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 66797710 GetTempFileNameA
C:\Users\user\AppData\Local\Temp\VBF570.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 6678A2CD GetTempFileNameA
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip read attributes | synchronize | generic write
device synchronous io non alert | non directory file
success or wait 1 66655B44 unknown
C:\Users\user\AppData\Local\Temp read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 66680D8C unknown
C:\Users\user\AppData\Local\Temp\oleObject1.bin read attributes | synchronize | generic read | generic write
device sequential only | synchronous io non alert | non directory file
success or wait 1 66680D8C unknown
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\libOmio.dll
read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 66655B44 unknown
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Roaming\Microsoft\Forms\EXCEL.box success or wait 1 6666FA9F unknown
C:\Users\user\AppData\Local\Temp\~DF28BAD242C80A9E72.TMP success or wait 1 66697F47 unknown
File DeletedFile Deleted
Copyright null 2020 Page 51 of 113
C:\Users\user\AppData\Local\Temp\VBF56E.tmp success or wait 1 6678A3AE DeleteFileA
C:\Users\user\AppData\Local\Temp\VBF570.tmp success or wait 1 6678A40F DeleteFileA
C:\Users\user\AppData\Local\Temp\VBF56E.tmp success or wait 1 667A66B7 DeleteFileA
C:\Users\user\AppData\Local\Temp\~DF3D8F94D159A1FBBE.TMP success or wait 1 666D256B unknown
File Path Completion CountSourceAddress Symbol
Old File Path New File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\VBF56F.tmp C:\Users\user\AppData\Local\Temp\VBF56E.tmp success or wait 1 6678A3E4 MoveFileA
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 4d 53 46 54 MSFT success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 02 00 01 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 09 04 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 51 00 Q. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 00 00 .. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 02 00 .. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 00 00 .. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 06 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 ab 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 cd 02 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 15 24 00 00 .$.. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 24 00 00 00 $... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 ff ff ff ff .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 20 00 00 00 ... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 80 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 0d 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 bc 00 00 00 .... success or wait 1 666B3650 unknown
File MovedFile Moved
File WrittenFile Written
Copyright null 2020 Page 52 of 113
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 684 00 00 00 00 64 00 00 00 c8 00 00 00 2c 01 00 00 90 01 00 00 f4 01 00 00 58 02 00 00 bc 02 00 00 20 03 00 00 84 03 00 00 e8 03 00 00 4c 04 00 00 b0 04 00 00 14 05 00 00 78 05 00 00 dc 05 00 00 40 06 00 00 a4 06 00 00 08 07 00 00 6c 07 00 00 d0 07 00 00 34 08 00 00 98 08 00 00 fc 08 00 00 60 09 00 00 c4 09 00 00 28 0a 00 00 8c 0a 00 00 f0 0a 00 00 54 0b 00 00 b8 0b 00 00 1c 0c 00 00 80 0c 00 00 e4 0c 00 00 48 0d 00 00 ac 0d 00 00 10 0e 00 00 74 0e 00 00 d8 0e 00 00 3c 0f 00 00 a0 0f 00 00 04 10 00 00 68 10 00 00 cc 10 00 00 30 11 00 00 94 11 00 00 f8 11 00 00 5c 12 00 00 c0 12 00 00 24 13 00 00 88 13 00 00 ec 13 00 00 50 14 00 00 b4 14 00 00 18 15 00 00 7c 15 00 00 e0 15 00 00 44 16 00 00 a8 16 00 00 0c 17 00 00 70 17 00 00 d4 17 00 00 38 18 00 00 9c 18 00
....d.......,...........X.......
...........L...........x...
[email protected].....
......`.......(...........T...
................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8......
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 6c 00 00 cc 42 00 00 0f 00 00 00
.....l...B...... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 0a 00 00 d0 08 00 00 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 24 00 00 00 1c 00 00 00 0f 00 00 00
....$........... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 0c 00 00 00 07 00 00 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 80 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 20 00 00 80 10 00 00 0f 00 00 00
..... .......... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 02 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 78 00 00 ec 49 00 00 0f 00 00 00
.....x...I...... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 0b 00 00 54 06 00 00 0f 00 00 00
........T....... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 10 00 00 10 0e 00 00 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 20 00 00 00 10 00 00 00 0f 00 00 00
.... ........... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 53 of 113
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 17100 26 21 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 03 00 03 80 00 00 00 00 a8 53 c6 11 ff ff ff ff 26 21 01 00 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 03 00 03 80 00 00 00 00 c0 54 c6 11 ff ff ff ff a6 10 02 00 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 44 00 00
&!...........................................................................................S......&!..........................................0.......,........................................T..................................................H.......D..
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 128 38 10 00 00 f8 07 00 00 50 10 00 00 10 08 00 00 a8 0f 00 00 40 0e 00 00 c0 0f 00 00 b8 0e 00 00 58 0e 00 00 18 0f 00 00 e8 0b 00 00 98 0a 00 00 e8 0e 00 00 c0 0c 00 00 c8 0d 00 00 28 0e 00 00 90 09 00 00 88 0b 00 00 20 10 00 00 58 0b 00 00 08 10 00 00 88 0e 00 00 68 10 00 00 d8 0f 00 00 88 05 00 00 48 0f 00 00 90 0c 00 00 10 0e 00 00 70 0e 00 00 78 0f 00 00 00 0f 00 00 30 0f 00 00
[email protected]...........................(........... ...X...........h...........H...........p...x.......0...
success or wait 1 666B3650 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 54 of 113
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4224 c4 e8 c0 a5 dd 1f fc 47 92 b9 3f b7 88 e0 40 4d fe ff ff ff ff ff ff ff 01 43 50 66 0f be 1a 10 8b bb 00 aa 00 30 0c ab 00 00 00 00 ff ff ff ff 13 43 50 66 0f be 1a 10 8b bb 00 aa 00 30 0c ab 64 00 00 00 ff ff ff ff 0b 43 50 66 0f be 1a 10 8b bb 00 aa 00 30 0c ab c8 00 00 00 ff ff ff ff 02 e0 f6 be 74 a8 1a 10 8b ba 00 aa 00 30 0c ab 2c 01 00 00 ff ff ff ff 03 e0 f6 be 74 a8 1a 10 8b ba 00 aa 00 30 0c ab 90 01 00 00 ff ff ff ff 20 47 bb 10 97 f7 ce 11 b9 ec 00 aa 00 6b 1a 69 f4 01 00 00 ff ff ff ff e0 03 0c 57 97 f7 ce 11 b9 ec 00 aa 00 6b 1a 69 58 02 00 00 ff ff ff ff 90 f5 72 ec 75 f3 ce 11 b9 e8 00 aa 00 6b 1a 69 bc 02 00 00 ff ff ff ff 70 23 b0 82 bc b5 cf 11 81 0f 00 a0 c9 03 00 74 20 03 00 00 ff ff ff ff 71 23 b0 82 bc b5 cf 11 81 0f 00 a0 c9 03 00
.......0...........CPf........
.0..d........CPf.........0....
..........t........0..,.......
....t........0.......... G....
.......k.i...........W........
.k.iX.........r.u........k.i..
......p#.............t .......q#.............
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 1792 20 03 00 00 01 00 00 00 ff ff ff ff ff ff ff ff 84 03 00 00 01 00 00 00 ff ff ff ff ff ff ff ff e8 03 00 00 01 00 00 00 ff ff ff ff ff ff ff ff 4c 04 00 00 01 00 00 00 ff ff ff ff ff ff ff ff b0 04 00 00 01 00 00 00 ff ff ff ff ff ff ff ff bc 02 00 00 01 00 00 00 ff ff ff ff ff ff ff ff d8 0e 00 00 01 00 00 00 ff ff ff ff 70 00 00 00 68 10 00 00 03 00 00 00 ff ff ff ff ff ff ff ff 04 10 00 00 01 00 00 00 ff ff ff ff 90 00 00 00 30 11 00 00 03 00 00 00 ff ff ff ff ff ff ff ff a0 0f 00 00 01 00 00 00 ff ff ff ff b0 00 00 00 94 11 00 00 03 00 00 00 ff ff ff ff ff ff ff ff 64 19 00 00 01 00 00 00 ff ff ff ff d0 00 00 00 28 23 00 00 03 00 00 00 ff ff ff ff ff ff ff ff c8 19 00 00 01 00 00 00 ff ff ff ff f0 00 00 00 f0 23 00 00 03 00 00 00 ff ff ff ff ff ff ff
...............................................L...........................................................p...h...............................0...............................................d...............(#...............................#.............
success or wait 1 666B3650 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 55 of 113
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2256 00 00 01 03 00 00 00 00 38 10 00 00 01 00 01 03 00 00 00 00 50 10 00 00 02 00 00 01 00 00 00 00 00 00 00 00 03 00 00 01 00 00 00 00 00 00 00 00 04 00 00 01 00 00 00 00 00 00 00 00 05 00 00 01 00 00 00 00 01 00 00 00 06 00 00 01 00 00 00 00 02 00 00 00 07 00 00 01 00 00 00 00 00 00 00 00 08 00 00 01 00 00 00 00 00 00 00 00 09 00 00 01 00 00 00 00 00 00 00 00 0a 00 00 01 00 00 00 00 01 00 00 00 0b 00 00 01 00 00 00 00 02 00 00 00 0c 00 00 01 00 00 00 00 00 00 00 00 0d 00 00 01 00 00 00 00 00 00 00 00 0e 00 00 01 00 00 00 00 00 00 00 00 0f 00 00 01 00 00 00 00 01 00 00 00 10 00 00 01 00 00 00 00 02 00 00 00 11 00 00 01 00 00 00 00 00 00 00 00 12 00 00 01 00 00 00 00 00 00 00 00 13 00 00 01 00 00 00 00 00 00 00 00 14 00 00 01 00 00 00 00 01 00 00 00 15 00 00
........8...........P.........
..............................
..............................
..............................
..............................
..............................
..............................
..............................
...............
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 28 20 10 00 00 00 00 00 00 02 00 00 00 2d 00 73 74 64 6f 6c 65 32 2e 74 6c 62 57 57 57
...........-.stdole2.tlbWWW success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 512 74 41 00 00 bc 24 00 00 5c 30 00 00 a8 49 00 00 e4 47 00 00 60 3c 00 00 f8 2d 00 00 58 45 00 00 2c 41 00 00 bc 47 00 00 88 30 00 00 cc 49 00 00 3c 2c 00 00 cc 48 00 00 70 46 00 00 68 3d 00 00 20 42 00 00 64 24 00 00 b8 3b 00 00 44 47 00 00 48 46 00 00 48 43 00 00 48 3e 00 00 94 26 00 00 4c 3c 00 00 18 3a 00 00 20 44 00 00 44 38 00 00 a8 45 00 00 18 47 00 00 80 45 00 00 10 43 00 00 14 49 00 00 84 49 00 00 2c 30 00 00 24 40 00 00 90 42 00 00 ac 44 00 00 1c 3e 00 00 ac 3f 00 00 34 42 00 00 14 45 00 00 98 47 00 00 a4 43 00 00 94 32 00 00 14 41 00 00 0c 48 00 00 5c 44 00 00 bc 45 00 00 84 28 00 00 c0 2f 00 00 ac 2d 00 00 e4 31 00 00 b4 41 00 00 b4 40 00 00 6c 34 00 00 e8 21 00 00 9c 40 00 00 40 3b 00 00 08 2a 00 00 6c 45 00 00 cc 40 00 00 24 46 00 00 fc 3e 00
tA...$..\0...I...G..`<...-..XE..,A...G...0...I..<,...H..pF..h=.. B..d$...;..DG..HF..HC..H>...&..L<...:.. D..D8...E...G...E...C...I...I..,[email protected]...>...?..4B...E...G...C...2...A...H..\D...E...(.../[email protected]...!...@..@;...*..lE...@..$F...>.
success or wait 1 666B3650 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 56 of 113
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 18924 ff ff ff ff ff ff ff ff 07 00 43 0f 4d 53 46 6f 72 6d 73 57 00 00 00 00 ff ff ff ff 09 38 e4 f5 4f 4c 45 5f 43 4f 4c 4f 52 57 57 57 64 00 00 00 ff ff ff ff 0a 38 28 6f 4f 4c 45 5f 48 41 4e 44 4c 45 57 57 c8 00 00 00 ff ff ff ff 10 38 c2 57 4f 4c 45 5f 4f 50 54 45 58 43 4c 55 53 49 56 45 2c 01 00 00 ff ff ff ff 05 38 9f ce 49 46 6f 6e 74 57 57 57 90 01 00 00 ff ff ff ff 04 28 55 10 46 6f 6e 74 f4 01 00 00 ff ff ff ff 0c 38 a9 2a 66 6d 44 72 6f 70 45 66 66 65 63 74 58 02 00 00 ff ff ff ff 08 38 8c 62 66 6d 41 63 74 69 6f 6e bc 02 00 00 ff ff ff ff 10 38 8f 6b 49 44 61 74 61 41 75 74 6f 57 72 61 70 70 65 72 20 03 00 00 ff ff ff ff 0e 38 dc 56 49 52 65 74 75 72 6e 49 6e 74 65 67 65 72 57 57 84 03 00 00 ff ff ff ff 0e 38 e0 39 49 52 65 74 75 72 6e 42 6f 6f 6c
..........C.MSFormsW.........8..OLE_COLORWWWd........8(oOLE_HANDLEWW.........8.WOLE_OPTEXCLUSIVE,........8..IFontWWW.........(U.Font.........8.*fmDropEffectX........8.bfmAction.........8.kIDataAutoWrapper ........8.VIReturnIntegerWW.........8.9IReturnBool
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 1620 22 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 4f 62 6a 65 63 74 20 4c 69 62 72 61 72 79 1c 00 43 3a 5c 57 69 6e 64 6f 77 73 5c 53 79 73 57 4f 57 36 34 5c 66 6d 32 30 2e 68 6c 70 57 57 04 00 4e 6f 6e 65 57 57 04 00 43 6f 70 79 57 57 04 00 4d 6f 76 65 57 57 0a 00 43 6f 70 79 4f 72 4d 6f 76 65 03 00 43 75 74 57 57 57 05 00 50 61 73 74 65 57 08 00 44 72 61 67 44 72 6f 70 57 57 07 00 49 6e 68 65 72 69 74 57 57 57 02 00 4f 6e 57 57 57 57 03 00 4f 66 66 57 57 57 07 00 44 65 66 61 75 6c 74 57 57 57 05 00 41 72 72 6f 77 57 05 00 43 72 6f 73 73 57 05 00 49 42 65 61 6d 57 08 00 53 69 7a 65 4e 45 53 57 57 57 06 00 53 69 7a 65 4e 53 08 00 53 69 7a 65 4e 57 53 45 57 57 06 00 53 69 7a 65 57 45 07 00 55 70 41 72 72 6f 77 57 57 57 09 00 48 6f 75 72 47
".Microsoft Forms 2.0 Object Library..C:\Windows\SysWOW64\fm20.hlpWW..NoneWW..CopyWW..MoveWW..CopyOrMove..CutWWW..PasteW..DragDropWW..InheritWWW..OnWWWW..OffWWW..DefaultWWW..ArrowW..CrossW..IBeamW..SizeNESWWW..SizeNS..SizeNWSEWW..SizeWE..UpArrowWWW..HourG
success or wait 1 666B3650 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 57 of 113
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 3600 1a 00 08 40 08 00 08 80 1a 00 06 40 06 00 06 80 1a 00 0b 40 0b 00 0b 80 1a 00 02 40 02 00 02 80 1d 00 ff 7f 64 00 00 00 1a 00 ff 7f 20 00 00 00 1d 00 ff 7f 2c 01 00 00 1a 00 ff 7f 30 00 00 00 1a 00 ff 7f 38 00 00 00 1d 00 ff 7f 19 00 00 00 1a 00 ff 7f 48 00 00 00 1a 00 00 40 18 00 00 80 1a 00 fe 7f 58 00 00 00 1a 00 13 40 17 00 13 80 1d 00 ff 7f 25 00 00 00 1a 00 ff 7f 70 00 00 00 1a 00 10 40 10 00 10 80 1a 00 fe 7f 80 00 00 00 1a 00 03 40 03 00 03 80 1d 00 ff 7f 31 00 00 00 1a 00 ff 7f 98 00 00 00 1d 00 ff 7f 3d 00 00 00 1a 00 ff 7f a8 00 00 00 1a 00 0c 40 0c 00 0c 80 1d 00 ff 7f 49 00 00 00 1a 00 ff 7f c0 00 00 00 1d 00 03 00 f4 01 00 00 1d 00 ff 7f 55 00 00 00 1a 00 ff 7f d8 00 00 00 1d 00 ff 7f 61 00 00 00 1a 00 ff 7f e8 00 00 00 1d 00 ff 7f 6d 00 00
...@.......@.......@.......@..
......d....... .......,[email protected]......@........%.......p......@[email protected]...............=..............@........I.......................U...............a...............m..
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 03 00 fe ff ff ff 57 57 03 00 ff ff ff ff 57 57
......WW......WW success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 24 03 00 00 $... success or wait 107 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 24 00 $. success or wait 1956 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 22 00 00 19 00 19 80 00 00 00 00 0c 00 4c 00 11 44 01 00 01 00 00 00
............L..D...... success or wait 1757 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 12 00 00 00 00 24 11 00 00 0a 00 00 00
....$....... success or wait 1215 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 88 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 03 00 00 00 03 00 00 00 04 00 00 00 04 00 00 00 05 00 00 00 05 00 00 00 06 00 00 00 06 00 00 00 07 00 00 00 07 00 00 00 08 00 00 00 08 00 00 00 10 00 01 60 11 00 01 60 12 00 01 60 13 00 01 60 14 00 01 60 15 00 01 60
..............................
..............................
.......`...`...`...`...`...`
success or wait 107 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 88 14 11 00 00 14 11 00 00 38 11 00 00 38 11 00 00 5c 11 00 00 5c 11 00 00 80 11 00 00 80 11 00 00 a8 11 00 00 a8 11 00 00 d8 11 00 00 d8 11 00 00 10 12 00 00 10 12 00 00 38 12 00 00 38 12 00 00 60 12 00 00 88 12 00 00 b0 12 00 00 dc 12 00 00 20 13 00 00 38 13 00 00
........8...8...\...\.........
..........................8...8...`............... ...8...
success or wait 107 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 88 00 00 00 00 24 00 00 00 48 00 00 00 6c 00 00 00 90 00 00 00 b4 00 00 00 d8 00 00 00 fc 00 00 00 20 01 00 00 44 01 00 00 68 01 00 00 8c 01 00 00 b0 01 00 00 d4 01 00 00 f8 01 00 00 1c 02 00 00 40 02 00 00 64 02 00 00 88 02 00 00 ac 02 00 00 dc 02 00 00 00 03 00 00
....$...H...l...................
...D...h...................
[email protected]...................
success or wait 107 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 4d 53 46 54 MSFT success or wait 1 666B3650 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 58 of 113
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 02 00 01 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 09 04 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 51 00 Q. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 00 00 .. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 02 00 .. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 2 00 00 .. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 06 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 ab 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 cd 02 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 15 24 00 00 .$.. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 00 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 24 00 00 00 $... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 ff ff ff ff .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 20 00 00 00 ... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 80 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 0d 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 4 bc 00 00 00 .... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 684 00 00 00 00 64 00 00 00 c8 00 00 00 2c 01 00 00 90 01 00 00 f4 01 00 00 58 02 00 00 bc 02 00 00 20 03 00 00 84 03 00 00 e8 03 00 00 4c 04 00 00 b0 04 00 00 14 05 00 00 78 05 00 00 dc 05 00 00 40 06 00 00 a4 06 00 00 08 07 00 00 6c 07 00 00 d0 07 00 00 34 08 00 00 98 08 00 00 fc 08 00 00 60 09 00 00 c4 09 00 00 28 0a 00 00 8c 0a 00 00 f0 0a 00 00 54 0b 00 00 b8 0b 00 00 1c 0c 00 00 80 0c 00 00 e4 0c 00 00 48 0d 00 00 ac 0d 00 00 10 0e 00 00 74 0e 00 00 d8 0e 00 00 3c 0f 00 00 a0 0f 00 00 04 10 00 00 68 10 00 00 cc 10 00 00 30 11 00 00 94 11 00 00 f8 11 00 00 5c 12 00 00 c0 12 00 00 24 13 00 00 88 13 00 00 ec 13 00 00 50 14 00 00 b4 14 00 00 18 15 00 00 7c 15 00 00 e0 15 00 00 44 16 00 00 a8 16 00 00 0c 17 00 00 70 17 00 00 d4 17 00 00 38 18 00 00 9c 18 00
....d.......,...........X.......
...........L...........x...
[email protected].....
......`.......(...........T...
................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8......
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 f0 03 00 00 cc 42 00 00 ff ff ff ff 0f 00 00 00
.....B.......... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 bc 5e 00 00 d0 08 00 00 ff ff ff ff 0f 00 00 00
.^.............. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 8c 67 00 00 1c 00 00 00 ff ff ff ff 0f 00 00 00
.g.............. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 bc 57 00 00 00 07 00 00 ff ff ff ff 0f 00 00 00
.W.............. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 bc 46 00 00 80 00 00 00 ff ff ff ff 0f 00 00 00
.F.............. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 3c 47 00 00 80 10 00 00 ff ff ff ff 0f 00 00 00
<G.............. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 a8 67 00 00 00 02 00 00 ff ff ff ff 0f 00 00 00
.g.............. success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 a8 69 00 00 ec 49 00 00 ff ff ff ff 0f 00 00 00
.i...I.......... success or wait 1 666B3650 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 59 of 113
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 94 b3 00 00 54 06 00 00 ff ff ff ff 0f 00 00 00
....T........... success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 e8 b9 00 00 10 0e 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 f8 c7 00 00 10 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 16 ff ff ff ff 00 00 00 00 ff ff ff ff 0f 00 00 00
................ success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd unknown 17100 26 21 00 00 08 c8 00 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 03 00 03 80 00 00 00 00 00 00 00 00 ff ff ff ff 26 21 01 00 08 c8 00 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 04 00 00 00 03 00 03 80 00 00 00 00 00 00 00 00 ff ff ff ff a6 10 02 00 08 c8 00 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 44 00 00
&!..................................................................................................&!..........................................0.......,...........................................................................................H.......D..
success or wait 1 666B3650 unknown
C:\Users\user\AppData\Local\Temp\VBF56F.tmp unknown 55 56 45 52 53 49 4f 4e 20 31 2e 30 20 43 4c 41 53 53 0d 0a 42 45 47 49 4e 0d 0a 20 20 4d 75 6c 74 69 55 73 65 20 3d 20 2d 31 20 20 27 54 72 75 65 0d 0a 45 4e 44 0d 0a
VERSION 1.0 CLASS..BEGIN.. MultiUse = -1 'True..END..
success or wait 1 6672D72B _lwrite
C:\Users\user\AppData\Local\Temp\VBF56F.tmp unknown 164 41 74 74 72 69 62 75 74 65 20 56 42 5f 4e 61 6d 65 20 3d 20 22 50 61 67 65 31 31 22 0d 0a 41 74 74 72 69 62 75 74 65 20 56 42 5f 47 6c 6f 62 61 6c 4e 61 6d 65 53 70 61 63 65 20 3d 20 46 61 6c 73 65 0d 0a 41 74 74 72 69 62 75 74 65 20 56 42 5f 43 72 65 61 74 61 62 6c 65 20 3d 20 46 61 6c 73 65 0d 0a 41 74 74 72 69 62 75 74 65 20 56 42 5f 50 72 65 64 65 63 6c 61 72 65 64 49 64 20 3d 20 54 72 75 65 0d 0a 41 74 74 72 69 62 75 74 65 20 56 42 5f 45 78 70 6f 73 65 64 20 3d 20 54 72 75 65 0d 0a
Attribute VB_Name = "Page11"..Attribute VB_GlobalNameSpace = False..Attribute VB_Creatable = False..Attribute VB_PredeclaredId = True..Attribute VB_Exposed = True..
success or wait 1 6672D72B _lwrite
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 60 of 113
C:\Users\user\AppData\Local\Temp\~$funduct.xlsx unknown 55 05 47 75 63 63 69 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
.user success or wait 1 DA07DE WriteFile
C:\Users\user\AppData\Local\Temp\~$funduct.xlsx unknown 110 05 00 47 00 75 00 63 00 63 00 69 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
..G.u.c.c.i. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . .
success or wait 1 DA0839 WriteFile
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 65024 50 4b 03 04 14 00 06 00 08 00 00 00 21 00 4b 0f ba 85 b7 01 00 00 bd 06 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PK..........!.K...............[Content_Types].xml ...(.........................................................................................................................................................................................................
success or wait 8 666559D6 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 61 of 113
C:\Users\user\AppData\Local\Temp\oleObject1.bin unknown 16384 d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 02 00 00 00 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 04 00 00 00 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 0a 00 00 00 0b 00 00 00 0c 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
........................>.....
..............................
..............................
..............................
..............................
..............................
..............................
..............................
...............
success or wait 24 66680D8C unknown
C:\Users\user\AppData\Local\Temp\oleObject1.bin unknown 16384 c2 00 60 02 5b 00 60 93 2f 00 60 98 a2 00 60 ad 0d 00 60 dd 49 00 60 ae 39 00 60 48 91 00 60 e7 e4 00 60 5e bc 00 60 7e 41 00 60 c2 2b 00 60 97 cd 00 60 d3 c6 00 60 f7 9a 00 60 32 f8 00 60 5f eb 00 60 51 54 00 60 2d 68 00 60 71 32 00 60 c8 e9 00 60 d4 77 00 60 ad 71 00 60 12 1d 00 60 88 c5 00 60 ba df 00 60 89 5a 00 60 76 ed 00 60 e3 9a 00 60 04 75 00 60 1a c6 00 60 a9 7c 00 60 2d e7 00 60 36 0c 00 60 6c 19 00 60 f8 53 00 60 c1 fc 00 60 ef c5 00 60 96 80 00 60 f1 dc 00 60 00 62 00 60 63 85 00 60 d3 c9 00 60 35 85 00 60 a2 dd 00 60 e7 0c 00 60 a7 09 00 60 75 1f 00 60 bb 7a 00 60 85 ec 00 60 fa 48 00 60 31 3f 00 60 1d e9 00 60 a6 ba 00 60 78 ce 00 60 45 68 00 60 3b 9c 00 60 5b 3e 00 60 0b f8 00 60 2f bf 00 60 b6 c9 00 60 31 7b 00 60 79 ac 00 60 47 03 00 60
..`.[.`./.`...`...`.I.`.9.`H..`...`^..`~A.`.+.`...`...`...`2..`_..`QT.`-h.`q2.`...`.w.`.q.`...`...`...`.Z.`v..`...`.u.`...`.|.`-..`6..`l..`.S.`...`...`...`...`.b.`c..`...`5..`...`...`...`u..`.z.`...`.H.`1?.`...`...`x..`Eh.`;..`[>.`...`/..`...`1{.`y..`G..`
success or wait 16 66680D8C unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 62 of 113
C:\Users\user\AppData\Local\Temp\oleObject1.bin unknown 8192 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
..............................
..............................
..............................
..............................
..............................
..............................
..............................
..............................
...............
success or wait 1 66680D8C unknown
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\libOmio.dll
unknown 1 4d M success or wait 285696 666559D6 unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\Public\desktop.ini unknown 176 success or wait 1 66680D8C unknown
C:\Users\Public\Desktop\desktop.ini unknown 176 success or wait 1 66680D8C unknown
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini unknown 176 success or wait 1 66680D8C unknown
C:\Users\user\Documents\desktop.ini unknown 404 success or wait 1 66680D8C unknown
C:\Users\user\Music\desktop.ini unknown 506 success or wait 1 66680D8C unknown
C:\Users\user\Pictures\desktop.ini unknown 506 success or wait 1 66680D8C unknown
C:\Users\user\Videos\desktop.ini unknown 506 success or wait 1 66680D8C unknown
C:\Users\user\Downloads\desktop.ini unknown 284 success or wait 1 66680D8C unknown
C:\Users\user\OneDrive\desktop.ini unknown 98 success or wait 1 66680D8C unknown
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unknown 402 success or wait 1 66680D8C unknown
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini unknown 176 success or wait 1 66680D8C unknown
C:\Windows\Fonts\desktop.ini unknown 67 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini unknown 176 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini unknown 696 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini unknown 266 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini unknown 176 success or wait 1 66680D8C unknown
C:\Users\user\Favorites\desktop.ini unknown 404 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx unknown 65024 success or wait 8 666B06D0 unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx unknown 65024 end of file 1 666B06D0 unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 1 success or wait 2 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 1 success or wait 2 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 1 success or wait 2 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 1 success or wait 30 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 18 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 1 success or wait 2 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 1 success or wait 2 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 1 success or wait 2 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 1 success or wait 30 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 18 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 46 success or wait 19 66680D8C unknown
File ReadFile Read
Copyright null 2020 Page 63 of 113
Registry ActivitiesRegistry Activities
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 19 success or wait 19 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 30 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 28 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 10240 success or wait 1 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 10240 success or wait 36 66680D8C unknown
C:\Users\user\AppData\Local\Temp\funduct.xlsx.zip unknown 10240 success or wait 2 66680D8C unknown
C:\Users\user\AppData\Local\Temp\oleObject1.bin unknown 1 success or wait 99312 666B06D0 unknown
File Path Offset Length Completion CountSourceAddress Symbol
Key Path Completion CountSourceAddress Symbol
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache success or wait 1 C987BC RegCreateKeyExW
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0 success or wait 1 C987E4 RegCreateKeyExW
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1 success or wait 1 66664F25 RegCreateKeyExA
HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common success or wait 1 66664F25 RegCreateKeyExA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage
success or wait 1 666E0DE8 unknown
Key Path Name Type Data Completion CountSourceAddress Symbol
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
MSForms dword 1 success or wait 1 C98806 RegSetValueExW
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0
MSComctlLib dword 1 success or wait 1 C98806 RegSetValueExW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E60090400000000000F01FEC\Usage
VBAFilesIntl_1033 dword 1355546625 success or wait 1 666E0DE8 unknown
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
binary 01 00 00 00 00 00 00 00 13 18 27 37 29 41 D6 01
success or wait 1 66680D8C unknown
Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing binary 1C 00 00 00 01 00 00 00 E4 07 06 00 06 00 0D 00 02 00 14 00 20 00 63 03 01 00 00 00 1E 76 81 27 E0 28 09 41 99 FE B9 D1 27 C5 7A FE
1C 00 00 00 01 00 00 00 E4 07 06 00 06 00 0D 00 02 00 14 00 20 00 6B 03 01 00 00 00 1E 76 81 27 E0 28 09 41 99 FE B9 D1 27 C5 7A FE
success or wait 1 66680D8C unknown
Start time: 19:20:27
Start date: 12/06/2020
Path: C:\Windows\splwow64.exe
Wow64 process (32bit): false
Commandline: C:\Windows\splwow64.exe 12288
Imagebase: 0x7ff7a2370000
File size: 130560 bytes
MD5 hash: 8D59B31FF375059E3C32B17BF31A76D5
Key CreatedKey Created
Key Value CreatedKey Value Created
Key Value ModifiedKey Value Modified
Analysis Process: splwow64.exe PID: 6088 Parent PID: 5416Analysis Process: splwow64.exe PID: 6088 Parent PID: 5416
General
Copyright null 2020 Page 64 of 113
File ActivitiesFile Activities
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
File Path Offset Length Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 19:21:30
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 2492
Imagebase: 0xa10000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\DBG read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 64BB1717 unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42F3.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42F3.tmp.xml read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_12b34477
read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_12b34477\Report.wer
read attributes | synchronize | generic write
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
Analysis Process: WerFault.exe PID: 4832 Parent PID: 5416Analysis Process: WerFault.exe PID: 4832 Parent PID: 5416
General
File CreatedFile Created
File DeletedFile Deleted
Copyright null 2020 Page 65 of 113
File Path Completion CountSourceAddress Symbol
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42F3.tmp success or wait 1 64BA497A unknown
C:\Users\user\AppData\Local\Temp\{5F5C2939-9FCE-42E8-BEA1-F2378749598F} - OProcSessId.dat success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42F3.tmp.xml success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4310.tmp.csv success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER443A.tmp.txt success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 32 4d 44 4d 50 93 a7 ee a0 0f 00 00 00 20 00 00 00 00 00 00 00 2d 38 e4 5e a4 05 12 00 00 00 00 00
MDMP........ .......-8.^........ success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 6 00 00 00 00 00 00 ...... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 1420 00 00 06 00 02 3f 04 01 0a 00 00 00 00 00 00 00 ee 42 00 00 02 00 00 00 ac 54 00 00 00 01 00 00 47 65 6e 75 69 6e 65 49 6e 74 65 6c f2 06 03 00 ff fb 8b 17 00 00 00 00 54 05 00 00 f7 03 00 00 28 15 00 00 cc 37 e4 5e 04 00 00 00 3a 00 00 00 a4 0d 00 00 a4 0d 00 00 a4 0d 00 00 01 00 00 00 01 00 00 00 00 30 00 00 0d 00 00 00 00 00 00 00 02 00 00 00 e0 01 00 00 50 00 61 00 63 00 69 00 66 00 69 00 63 00 20 00 53 00 74 00 61 00 6e 00 64 00 61 00 72 00 64 00 20 00 54 00 69 00 6d 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 00 00 50 00 61 00 63 00 69 00 66 00 69 00 63 00 20 00 44 00 61 00 79 00 6c 00 69 00 67 00 68 00 74 00 20 00 54 00 69 00 6d 00 65 00 00 00 00 00 00 00 00 00 00
.....?...........B.......T....
..GenuineIntel............T...
....(....7.^....:.............
...........0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e..........
success or wait 1 64BA497A unknown
File WrittenFile Written
Copyright null 2020 Page 66 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 716 7f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa 2b 00 00 00 53 00 00 00 2b 00 00 00 2b 00 00 00 c8 53 25 1b 00 00 a8 f3 00 00 00 00 c8 53 25 1b 11 00 00 00 11 00 00 00 30 c4 95 03 90 ff 4b 77 23 00 00 00 86 02 01 00 f8 c3 95 03 2b 00 00 00 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
..............................
..............................
..............................
..............................
....................+...S...+.
..+....S%..........S%.........0.....Kw#...........+......................................................
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 168 2c 15 00 00 00 00 00 00 05 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 90 ff 4b 77 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 f3 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc 02 00 00 70 69 00 00
,.........................Kw........................................................................................................................................pi..
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 20 65 01 00 00 e0 73 d0 03 00 00 00 00 04 00 00 00 14 ce 00 00
e....s.............. success or wait 357 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 4 44 24 89 6d D$.m success or wait 356 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 4 74 99 3b 6d t.;m success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 4 1b 00 00 00 .... success or wait 27 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 67 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 716 3f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa 2b 00 00 00 53 00 00 00 2b 00 00 00 2b 00 00 00 aa aa aa aa 00 00 00 00 00 00 00 00 c8 53 25 1b aa aa aa aa 00 00 00 00 20 bd 95 03 bc a7 4f 77 23 00 00 00 12 02 00 00 e0 bc 95 03 2b 00 00 00 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
?...........................................................................................................................................+...S...+...+................S%......... .....Ow#...........+......................................................
success or wait 27 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 48 f0 17 00 00 01 00 00 00 20 00 00 00 00 00 00 00 00 f0 6b 03 00 00 00 00 c4 f6 90 19 00 00 00 00 3c 09 00 00 c9 17 03 00 cc 02 00 00 f4 b4 00 00
........ .........k.............<...............
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 4 a4 00 00 00 .... success or wait 164 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 24 12 00 00 00 45 00 58 00 43 00 45 00 4c 00 2e 00 45 00 58 00 45 00 00 00
....E.X.C.E.L...E.X.E... success or wait 164 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 120 00 00 a8 03 00 00 00 00 00 c0 04 00 00 00 00 00 50 a0 f1 5a 58 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 18 00 00 00 08 00 00 00
................P..ZXh........
..............................
..............................
..............................
success or wait 8 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 54 30 00 00 00 72 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 70 00 6f 00 6c 00 69 00 63 00 79 00 63 00 6c 00 69 00 65 00 6e 00 74 00 2e 00 64 00 6c 00 6c 00 00 00
0...r.e.s.o.u.r.c.e.p.o.l.i.c.y.c.l.i.e.n.t...d.l.l...
success or wait 8 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 68 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 668 00 00 9f 64 00 00 00 00 00 00 40 00 69 49 40 00 53 37 f1 3e 48 69 00 00 01 00 0f 00 5a 62 02 00 00 10 00 00 8d ff 07 00 01 00 00 00 ef ff 07 00 00 00 01 00 00 00 01 00 00 00 00 00 ff ff fe 7f 00 00 00 00 0f 00 00 00 00 00 00 00 04 00 00 00 00 a0 69 00 00 00 00 00 00 20 74 02 00 00 00 00 3c e0 02 00 00 01 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 a9 85 03 00 00 00 00 00 95 33 04 00 00 00 00 00 35 b6 01 00 00 00 00 00 8e 11 1b 00 00 00 00 00 b2 ed 04 00 00 00 00 00 40 ff 1f 00 00 00 00 00 e0 51 06 00 00 00 00 00 d2 71 d6 ee 00 00 00 00 2c 5b 34 44 00 00 00 00 67 bb ce 21 00 00 00 00 f3 60 af 03 00 00 00 00 85 6f 08 00 85 46 05 00 99 99 05 00 33 35 05 00 b2 ed 04 00 8d ff 10 00 e0 51 06 00 cf 58 39 00 6c ca 01 00 1b a6 1b 00 00 00 00 00 4f dd 1b 00 61 87 05
[email protected]@.S7.>Hi......Zb
..............................
......................i...... t.....<............................3......5.......................@........Q.......q......,[4D....g..!.....`.......o...F......35...........Q...X9.l...........O...a..
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 82758 06 00 00 00 4b 00 65 00 79 00 00 00 06 00 00 00 4b 00 65 00 79 00 00 00 0a 00 00 00 45 00 76 00 65 00 6e 00 74 00 00 00 00 00 00 00 06 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 28 00 00 00 57 00 61 00 69 00 74 00 43 00 6f 00 6d 00 70 00 6c 00 65 00 74 00 69 00 6f 00 6e 00 50 00 61 00 63 00 6b 00 65 00 74 00 00 00 18 00 00 00 49 00 6f 00 43 00 6f 00 6d 00 70 00 6c 00 65 00 74 00 69 00 6f 00 6e 00 00 00 1e 00 00 00 54 00 70 00 57 00 6f 00 72 00 6b 00 65 00 72 00 46 00 61 00 63 00 74 00 6f 00 72 00 79 00 00 00 0e 00 00 00 49 00 52 00 54 00 69 00 6d 00 65 00 72 00 00 00 28 00 00 00 57 00 61 00 69 00 74 00 43 00 6f 00 6d 00 70 00 6c 00 65 00 74 00 69 00 6f 00 6e 00 50 00 61 00 63 00 6b 00 65 00 74 00 00 00 0e 00 00 00 49 00 52 00 54 00 69 00 6d 00 65 00 72
....K.e.y.......K.e.y.......E.v.e.n.t.......................(...W.a.i.t.C.o.m.p.l.e.t.i.o.n.P.a.c.k.e.t.......I.o.C.o.m.p.l.e.t.i.o.n.......T.p.W.o.r.k.e.r.F.a.c.t.o.r.y.......I.R.T.i.m.e.r...(...W.a.i.t.C.o.m.p.l.e.t.i.o.n.P.a.c.k.e.t.......I.R.T.i.m.e.r
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 69 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A75.tmp.dmp
unknown 120 03 00 00 00 14 05 00 00 08 07 00 00 04 00 00 00 34 45 00 00 28 0c 00 00 0e 00 00 00 cc 00 00 00 5c 51 00 00 05 00 00 00 54 16 00 00 c0 b7 00 00 06 00 00 00 a8 00 00 00 60 06 00 00 07 00 00 00 38 00 00 00 d4 00 00 00 0f 00 00 00 54 05 00 00 0c 01 00 00 0c 00 00 00 98 c7 00 00 6f fa 04 00 15 00 00 00 ec 01 00 00 28 52 00 00 16 00 00 00 98 00 00 00 14 54 00 00
................4E..(.........
..\Q......T...............`...
....8...........T.............
..o...........(R...........T..
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 ff fe .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 78 3c 00 3f 00 78 00 6d 00 6c 00 20 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 22 00 31 00 2e 00 30 00 22 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 3d 00 22 00 55 00 54 00 46 00 2d 00 31 00 36 00 22 00 3f 00 3e 00
<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 38 3c 00 57 00 45 00 52 00 52 00 65 00 70 00 6f 00 72 00 74 00 4d 00 65 00 74 00 61 00 64 00 61 00 74 00 61 00 3e 00
<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 44 3c 00 4f 00 53 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 82 3c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 4e 00 54 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3e 00 31 00 30 00 2e 00 30 00 3c 00 2f 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 4e 00 54 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3e 00
<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 40 3c 00 42 00 75 00 69 00 6c 00 64 00 3e 00 31 00 37 00 31 00 33 00 34 00 3c 00 2f 00 42 00 75 00 69 00 6c 00 64 00 3e 00
<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 70 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 82 3c 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 3e 00 28 00 30 00 78 00 33 00 30 00 29 00 3a 00 20 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 31 00 30 00 20 00 50 00 72 00 6f 00 3c 00 2f 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 3e 00
<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 62 3c 00 45 00 64 00 69 00 74 00 69 00 6f 00 6e 00 3e 00 50 00 72 00 6f 00 66 00 65 00 73 00 73 00 69 00 6f 00 6e 00 61 00 6c 00 3c 00 2f 00 45 00 64 00 69 00 74 00 69 00 6f 00 6e 00 3e 00
<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 138 3c 00 42 00 75 00 69 00 6c 00 64 00 53 00 74 00 72 00 69 00 6e 00 67 00 3e 00 31 00 37 00 31 00 33 00 34 00 2e 00 31 00 36 00 35 00 2e 00 61 00 6d 00 64 00 36 00 34 00 66 00 72 00 65 00 2e 00 72 00 73 00 34 00 5f 00 72 00 65 00 6c 00 65 00 61 00 73 00 65 00 2e 00 31 00 38 00 30 00 34 00 31 00 30 00 2d 00 31 00 38 00 30 00 34 00 3c 00 2f 00 42 00 75 00 69 00 6c 00 64 00 53 00 74 00 72 00 69 00 6e 00 67 00 3e 00
<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 48 3c 00 52 00 65 00 76 00 69 00 73 00 69 00 6f 00 6e 00 3e 00 31 00 36 00 35 00 3c 00 2f 00 52 00 65 00 76 00 69 00 73 00 69 00 6f 00 6e 00 3e 00
<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 72 3c 00 46 00 6c 00 61 00 76 00 6f 00 72 00 3e 00 4d 00 75 00 6c 00 74 00 69 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 6f 00 72 00 20 00 46 00 72 00 65 00 65 00 3c 00 2f 00 46 00 6c 00 61 00 76 00 6f 00 72 00 3e 00
<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 71 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 64 3c 00 41 00 72 00 63 00 68 00 69 00 74 00 65 00 63 00 74 00 75 00 72 00 65 00 3e 00 58 00 36 00 34 00 3c 00 2f 00 41 00 72 00 63 00 68 00 69 00 74 00 65 00 63 00 74 00 75 00 72 00 65 00 3e 00
<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 34 3c 00 4c 00 43 00 49 00 44 00 3e 00 31 00 30 00 33 00 33 00 3c 00 2f 00 4c 00 43 00 49 00 44 00 3e 00
<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 46 3c 00 2f 00 4f 00 53 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 40 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 30 3c 00 50 00 69 00 64 00 3e 00 35 00 34 00 31 00 36 00 3c 00 2f 00 50 00 69 00 64 00 3e 00
<.P.i.d.>.5.4.1.6.<./.P.i.d.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 64 3c 00 49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 3e 00 45 00 58 00 43 00 45 00 4c 00 2e 00 45 00 58 00 45 00 3c 00 2f 00 49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 3e 00
<.I.m.a.g.e.N.a.m.e.>.E.X.C.E.L...E.X.E.<./.I.m.a.g.e.N.a.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 90 3c 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 3e 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 3c 00 2f 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 3e 00
<.C.m.d.L.i.n.e.S.i.g.n.a.t.u.r.e.>.0.0.0.0.0.0.0.0.<./.C.m.d.L.i.n.e.S.i.g.n.a.t.u.r.e.>.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 72 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 44 3c 00 55 00 70 00 74 00 69 00 6d 00 65 00 3e 00 39 00 37 00 38 00 38 00 31 00 3c 00 2f 00 55 00 70 00 74 00 69 00 6d 00 65 00 3e 00
<.U.p.t.i.m.e.>.9.7.8.8.1.<./.U.p.t.i.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 82 3c 00 57 00 6f 00 77 00 36 00 34 00 20 00 67 00 75 00 65 00 73 00 74 00 3d 00 22 00 33 00 33 00 32 00 22 00 20 00 68 00 6f 00 73 00 74 00 3d 00 22 00 33 00 34 00 34 00 30 00 34 00 22 00 3e 00 31 00 3c 00 2f 00 57 00 6f 00 77 00 36 00 34 00 3e 00
<.W.o.w.6.4. .g.u.e.s.t.=.".3.3.2.". .h.o.s.t.=.".3.4.4.0.4.".>.1.<./.W.o.w.6.4.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 52 3c 00 49 00 70 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00 30 00 3c 00 2f 00 49 00 70 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00
<.I.p.t.E.n.a.b.l.e.d.>.0.<./.I.p.t.E.n.a.b.l.e.d.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 44 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 56 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.P.r.o.c.e.s.s.V.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 88 3c 00 50 00 65 00 61 00 6b 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00 37 00 31 00 30 00 32 00 35 00 38 00 36 00 38 00 38 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00
<.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.>.7.1.0.2.5.8.6.8.8.<./.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 73 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 72 3c 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00 36 00 38 00 39 00 37 00 35 00 38 00 32 00 30 00 38 00 3c 00 2f 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00
<.V.i.r.t.u.a.l.S.i.z.e.>.6.8.9.7.5.8.2.0.8.<./.V.i.r.t.u.a.l.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 76 3c 00 50 00 61 00 67 00 65 00 46 00 61 00 75 00 6c 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3e 00 36 00 34 00 39 00 38 00 38 00 3c 00 2f 00 50 00 61 00 67 00 65 00 46 00 61 00 75 00 6c 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3e 00
<.P.a.g.e.F.a.u.l.t.C.o.u.n.t.>.6.4.9.8.8.<./.P.a.g.e.F.a.u.l.t.C.o.u.n.t.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 100 3c 00 50 00 65 00 61 00 6b 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00 31 00 35 00 36 00 34 00 39 00 31 00 37 00 37 00 36 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00
<.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.1.5.6.4.9.1.7.7.6.<./.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 82 3c 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00 35 00 33 00 38 00 37 00 30 00 35 00 39 00 32 00 3c 00 2f 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00
<.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.5.3.8.7.0.5.9.2.<./.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 116 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 31 00 36 00 39 00 31 00 33 00 36 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.1.1.6.9.1.3.6.<./.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 74 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 100 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 31 00 33 00 37 00 32 00 34 00 38 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.1.1.3.7.2.4.8.<./.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 126 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 35 00 31 00 35 00 35 00 32 00 38 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.5.1.5.5.2.8.<./.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 110 3c 00 51 00 75 00 6f 00 74 00 61 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 35 00 31 00 35 00 32 00 35 00 36 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.5.1.5.2.5.6.<./.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 80 3c 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 30 00 30 00 39 00 39 00 39 00 31 00 36 00 38 00 3c 00 2f 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.a.g.e.f.i.l.e.U.s.a.g.e.>.1.0.0.9.9.9.1.6.8.<./.P.a.g.e.f.i.l.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 75 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 96 3c 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 31 00 32 00 30 00 38 00 37 00 30 00 34 00 30 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.>.1.1.2.0.8.7.0.4.0.<./.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 76 3c 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 30 00 30 00 39 00 39 00 39 00 31 00 36 00 38 00 3c 00 2f 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.r.i.v.a.t.e.U.s.a.g.e.>.1.0.0.9.9.9.1.6.8.<./.P.r.i.v.a.t.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 46 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 56 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.P.r.o.c.e.s.s.V.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 30 3c 00 50 00 61 00 72 00 65 00 6e 00 74 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 3e 00
<.P.a.r.e.n.t.P.r.o.c.e.s.s.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 40 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 28 3c 00 50 00 69 00 64 00 3e 00 37 00 30 00 30 00 3c 00 2f 00 50 00 69 00 64 00 3e 00
<.P.i.d.>.7.0.0.<./.P.i.d.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 68 3c 00 49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 3e 00 73 00 76 00 63 00 68 00 6f 00 73 00 74 00 2e 00 65 00 78 00 65 00 3c 00 2f 00 49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 3e 00
<.I.m.a.g.e.N.a.m.e.>.s.v.c.h.o.s.t...e.x.e.<./.I.m.a.g.e.N.a.m.e.>.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 76 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 90 3c 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 3e 00 38 00 30 00 30 00 30 00 34 00 30 00 30 00 35 00 3c 00 2f 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 3e 00
<.C.m.d.L.i.n.e.S.i.g.n.a.t.u.r.e.>.8.0.0.0.4.0.0.5.<./.C.m.d.L.i.n.e.S.i.g.n.a.t.u.r.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 48 3c 00 55 00 70 00 74 00 69 00 6d 00 65 00 3e 00 35 00 34 00 35 00 34 00 39 00 36 00 30 00 3c 00 2f 00 55 00 70 00 74 00 69 00 6d 00 65 00 3e 00
<.U.p.t.i.m.e.>.5.4.5.4.9.6.0.<./.U.p.t.i.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 78 3c 00 57 00 6f 00 77 00 36 00 34 00 20 00 67 00 75 00 65 00 73 00 74 00 3d 00 22 00 30 00 22 00 20 00 68 00 6f 00 73 00 74 00 3d 00 22 00 33 00 34 00 34 00 30 00 34 00 22 00 3e 00 30 00 3c 00 2f 00 57 00 6f 00 77 00 36 00 34 00 3e 00
<.W.o.w.6.4. .g.u.e.s.t.=.".0.". .h.o.s.t.=.".3.4.4.0.4.".>.0.<./.W.o.w.6.4.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 52 3c 00 49 00 70 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00 30 00 3c 00 2f 00 49 00 70 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00
<.I.p.t.E.n.a.b.l.e.d.>.0.<./.I.p.t.E.n.a.b.l.e.d.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 44 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 56 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.P.r.o.c.e.s.s.V.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 77 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 90 3c 00 50 00 65 00 61 00 6b 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00 34 00 32 00 39 00 34 00 39 00 36 00 37 00 32 00 39 00 35 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00
<.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.>.4.2.9.4.9.6.7.2.9.5.<./.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 74 3c 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00 34 00 32 00 39 00 34 00 39 00 36 00 37 00 32 00 39 00 35 00 3c 00 2f 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00
<.V.i.r.t.u.a.l.S.i.z.e.>.4.2.9.4.9.6.7.2.9.5.<./.V.i.r.t.u.a.l.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 76 3c 00 50 00 61 00 67 00 65 00 46 00 61 00 75 00 6c 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3e 00 31 00 34 00 34 00 32 00 33 00 3c 00 2f 00 50 00 61 00 67 00 65 00 46 00 61 00 75 00 6c 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3e 00
<.P.a.g.e.F.a.u.l.t.C.o.u.n.t.>.1.4.4.2.3.<./.P.a.g.e.F.a.u.l.t.C.o.u.n.t.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 98 3c 00 50 00 65 00 61 00 6b 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00 32 00 30 00 34 00 35 00 31 00 33 00 32 00 38 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00
<.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.2.0.4.5.1.3.2.8.<./.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 80 3c 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00 35 00 30 00 30 00 35 00 33 00 31 00 32 00 3c 00 2f 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00
<.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.5.0.0.5.3.1.2.<./.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 78 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 114 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 35 00 30 00 33 00 32 00 34 00 30 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.5.0.3.2.4.0.<./.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 98 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 34 00 32 00 33 00 37 00 36 00 30 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.4.2.3.7.6.0.<./.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 124 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 32 00 34 00 38 00 39 00 36 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.2.4.8.9.6.<./.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 108 3c 00 51 00 75 00 6f 00 74 00 61 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 32 00 33 00 34 00 30 00 38 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.2.3.4.0.8.<./.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 79 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 76 3c 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 38 00 32 00 33 00 37 00 30 00 35 00 36 00 3c 00 2f 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.a.g.e.f.i.l.e.U.s.a.g.e.>.8.2.3.7.0.5.6.<./.P.a.g.e.f.i.l.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 92 3c 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 38 00 34 00 37 00 34 00 36 00 32 00 34 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.>.8.4.7.4.6.2.4.<./.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 72 3c 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 38 00 32 00 33 00 37 00 30 00 35 00 36 00 3c 00 2f 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.r.i.v.a.t.e.U.s.a.g.e.>.8.2.3.7.0.5.6.<./.P.r.i.v.a.t.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 46 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 56 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.P.r.o.c.e.s.s.V.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 42 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 32 3c 00 2f 00 50 00 61 00 72 00 65 00 6e 00 74 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 3e 00
<./.P.a.r.e.n.t.P.r.o.c.e.s.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 80 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 42 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 38 3c 00 50 00 72 00 6f 00 62 00 6c 00 65 00 6d 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 73 00 3e 00
<.P.r.o.b.l.e.m.S.i.g.n.a.t.u.r.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 62 3c 00 45 00 76 00 65 00 6e 00 74 00 54 00 79 00 70 00 65 00 3e 00 41 00 50 00 50 00 43 00 52 00 41 00 53 00 48 00 3c 00 2f 00 45 00 76 00 65 00 6e 00 74 00 54 00 79 00 70 00 65 00 3e 00
<.E.v.e.n.t.T.y.p.e.>.A.P.P.C.R.A.S.H.<./.E.v.e.n.t.T.y.p.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 8 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 16 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 68 3c 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 30 00 3e 00 45 00 58 00 43 00 45 00 4c 00 2e 00 45 00 58 00 45 00 3c 00 2f 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 30 00 3e 00
<.P.a.r.a.m.e.t.e.r.0.>.E.X.C.E.L...E.X.E.<./.P.a.r.a.m.e.t.e.r.0.>.
success or wait 8 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 50 00 72 00 6f 00 62 00 6c 00 65 00 6d 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 73 00 3e 00
<./.P.r.o.b.l.e.m.S.i.g.n.a.t.u.r.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 38 3c 00 44 00 79 00 6e 00 61 00 6d 00 69 00 63 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 73 00 3e 00
<.D.y.n.a.m.i.c.S.i.g.n.a.t.u.r.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 6 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 12 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 96 3c 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 31 00 3e 00 31 00 30 00 2e 00 30 00 2e 00 31 00 37 00 31 00 33 00 34 00 2e 00 32 00 2e 00 30 00 2e 00 30 00 2e 00 32 00 35 00 36 00 2e 00 34 00 38 00 3c 00 2f 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 31 00 3e 00
<.P.a.r.a.m.e.t.e.r.1.>.1.0...0...1.7.1.3.4...2...0...0...2.5.6...4.8.<./.P.a.r.a.m.e.t.e.r.1.>.
success or wait 6 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 81 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 44 00 79 00 6e 00 61 00 6d 00 69 00 63 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 73 00 3e 00
<./.D.y.n.a.m.i.c.S.i.g.n.a.t.u.r.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 38 3c 00 53 00 79 00 73 00 74 00 65 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.S.y.s.t.e.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 94 3c 00 4d 00 49 00 44 00 3e 00 45 00 33 00 38 00 42 00 36 00 30 00 42 00 33 00 2d 00 35 00 46 00 46 00 41 00 2d 00 34 00 46 00 38 00 38 00 2d 00 41 00 41 00 35 00 38 00 2d 00 43 00 44 00 44 00 34 00 39 00 37 00 45 00 37 00 43 00 42 00 32 00 32 00 3c 00 2f 00 4d 00 49 00 44 00 3e 00
<.M.I.D.>.E.3.8.B.6.0.B.3.-.5.F.F.A.-.4.F.8.8.-.A.A.5.8.-.C.D.D.4.9.7.E.7.C.B.2.2.<./.M.I.D.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 106 3c 00 53 00 79 00 73 00 74 00 65 00 6d 00 4d 00 61 00 6e 00 75 00 66 00 61 00 63 00 74 00 75 00 72 00 65 00 72 00 3e 00 61 00 6a 00 67 00 63 00 71 00 67 00 68 00 20 00 47 00 6d 00 62 00 48 00 3c 00 2f 00 53 00 79 00 73 00 74 00 65 00 6d 00 4d 00 61 00 6e 00 75 00 66 00 61 00 63 00 74 00 75 00 72 00 65 00 72 00 3e 00
<.S.y.s.t.e.m.M.a.n.u.f.a.c.t.u.r.e.r.>.a.j.g.c.q.g.h. .G.m.b.H.<./.S.y.s.t.e.m.M.a.n.u.f.a.c.t.u.r.e.r.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 98 3c 00 53 00 79 00 73 00 74 00 65 00 6d 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 3e 00 70 00 6c 00 78 00 63 00 6b 00 6b 00 6a 00 65 00 6c 00 63 00 3c 00 2f 00 53 00 79 00 73 00 74 00 65 00 6d 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 3e 00
<.S.y.s.t.e.m.P.r.o.d.u.c.t.N.a.m.e.>.p.l.x.c.k.k.j.e.l.c.<./.S.y.s.t.e.m.P.r.o.d.u.c.t.N.a.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 82 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 74 3c 00 42 00 49 00 4f 00 53 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3e 00 70 00 6c 00 78 00 63 00 6b 00 6b 00 6a 00 65 00 6c 00 63 00 3c 00 2f 00 42 00 49 00 4f 00 53 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3e 00
<.B.I.O.S.V.e.r.s.i.o.n.>.p.l.x.c.k.k.j.e.l.c.<./.B.I.O.S.V.e.r.s.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 82 3c 00 4f 00 53 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 44 00 61 00 74 00 65 00 3e 00 31 00 35 00 35 00 38 00 31 00 32 00 33 00 36 00 31 00 36 00 3c 00 2f 00 4f 00 53 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 44 00 61 00 74 00 65 00 3e 00
<.O.S.I.n.s.t.a.l.l.D.a.t.e.>.1.5.5.8.1.2.3.6.1.6.<./.O.S.I.n.s.t.a.l.l.D.a.t.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 102 3c 00 4f 00 53 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 54 00 69 00 6d 00 65 00 3e 00 32 00 30 00 31 00 38 00 2d 00 30 00 37 00 2d 00 31 00 32 00 54 00 30 00 39 00 3a 00 30 00 32 00 3a 00 35 00 36 00 5a 00 3c 00 2f 00 4f 00 53 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 54 00 69 00 6d 00 65 00 3e 00
<.O.S.I.n.s.t.a.l.l.T.i.m.e.>.2.0.1.8.-.0.7.-.1.2.T.0.9.:.0.2.:.5.6.Z.<./.O.S.I.n.s.t.a.l.l.T.i.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 68 3c 00 54 00 69 00 6d 00 65 00 5a 00 6f 00 6e 00 65 00 42 00 69 00 61 00 73 00 3e 00 30 00 38 00 3a 00 30 00 30 00 3c 00 2f 00 54 00 69 00 6d 00 65 00 5a 00 6f 00 6e 00 65 00 42 00 69 00 61 00 73 00 3e 00
<.T.i.m.e.Z.o.n.e.B.i.a.s.>.0.8.:.0.0.<./.T.i.m.e.Z.o.n.e.B.i.a.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 53 00 79 00 73 00 74 00 65 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.S.y.s.t.e.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 34 3c 00 53 00 65 00 63 00 75 00 72 00 65 00 42 00 6f 00 6f 00 74 00 53 00 74 00 61 00 74 00 65 00 3e 00
<.S.e.c.u.r.e.B.o.o.t.S.t.a.t.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 83 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 114 3c 00 55 00 45 00 46 00 49 00 53 00 65 00 63 00 75 00 72 00 65 00 42 00 6f 00 6f 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00 4e 00 6f 00 74 00 43 00 61 00 70 00 61 00 62 00 6c 00 65 00 3c 00 2f 00 55 00 45 00 46 00 49 00 53 00 65 00 63 00 75 00 72 00 65 00 42 00 6f 00 6f 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00
<.U.E.F.I.S.e.c.u.r.e.B.o.o.t.E.n.a.b.l.e.d.>.N.o.t.C.a.p.a.b.l.e.<./.U.E.F.I.S.e.c.u.r.e.B.o.o.t.E.n.a.b.l.e.d.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 36 3c 00 2f 00 53 00 65 00 63 00 75 00 72 00 65 00 42 00 6f 00 6f 00 74 00 53 00 74 00 61 00 74 00 65 00 3e 00
<./.S.e.c.u.r.e.B.o.o.t.S.t.a.t.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 24 3c 00 49 00 6e 00 74 00 65 00 67 00 72 00 61 00 74 00 6f 00 72 00 3e 00
<.I.n.t.e.g.r.a.t.o.r.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 6 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 46 3c 00 46 00 6c 00 61 00 67 00 73 00 3e 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 42 00 3c 00 2f 00 46 00 6c 00 61 00 67 00 73 00 3e 00
<.F.l.a.g.s.>.0.0.0.0.0.0.0.B.<./.F.l.a.g.s.>.
success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 26 3c 00 2f 00 49 00 6e 00 74 00 65 00 67 00 72 00 61 00 74 00 6f 00 72 00 3e 00
<./.I.n.t.e.g.r.a.t.o.r.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 100 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 54 00 69 00 6d 00 65 00 6c 00 69 00 6e 00 65 00 73 00 20 00 42 00 61 00 73 00 65 00 54 00 69 00 6d 00 65 00 3d 00 22 00 32 00 30 00 32 00 30 00 2d 00 30 00 36 00 2d 00 31 00 33 00 54 00 30 00 32 00 3a 00 32 00 31 00 3a 00 33 00 34 00 5a 00 22 00 3e 00
<.P.r.o.c.e.s.s.T.i.m.e.l.i.n.e.s. .B.a.s.e.T.i.m.e.=.".2.0.2.0.-.0.6.-.1.3.T.0.2.:.2.1.:.3.4.Z.".>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 84 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 266 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 20 00 41 00 73 00 49 00 64 00 3d 00 22 00 33 00 38 00 36 00 22 00 20 00 50 00 49 00 44 00 3d 00 22 00 35 00 34 00 31 00 36 00 22 00 20 00 55 00 70 00 74 00 69 00 6d 00 65 00 4d 00 53 00 3d 00 22 00 39 00 33 00 30 00 38 00 31 00 22 00 20 00 54 00 69 00 6d 00 65 00 53 00 69 00 6e 00 63 00 65 00 43 00 72 00 65 00 61 00 74 00 69 00 6f 00 6e 00 4d 00 53 00 3d 00 22 00 39 00 33 00 30 00 38 00 31 00 22 00 20 00 53 00 75 00 73 00 70 00 65 00 6e 00 64 00 65 00 64 00 4d 00 53 00 3d 00 22 00 30 00 22 00 20 00 48 00 61 00 6e 00 67 00 43 00 6f 00 75 00 6e 00 74 00 3d 00 22 00 30 00 22 00 20 00 47 00 68 00 6f 00 73 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3d 00 22 00 31 00 22 00 20 00 43 00 72 00 61 00 73 00 68 00 65 00 64
<.P.r.o.c.e.s.s. .A.s.I.d.=.".3.8.6.". .P.I.D.=.".5.4.1.6.". .U.p.t.i.m.e.M.S.=.".9.3.0.8.1.". .T.i.m.e.S.i.n.c.e.C.r.e.a.t.i.o.n.M.S.=.".9.3.0.8.1.". .S.u.s.p.e.n.d.e.d.M.S.=.".0.". .H.a.n.g.C.o.u.n.t.=.".0.". .G.h.o.s.t.C.o.u.n.t.=.".1.". .C.r.a.s.h.e.d
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 20 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 3e 00
<./.P.r.o.c.e.s.s.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 38 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 54 00 69 00 6d 00 65 00 6c 00 69 00 6e 00 65 00 73 00 3e 00
<./.P.r.o.c.e.s.s.T.i.m.e.l.i.n.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 38 3c 00 52 00 65 00 70 00 6f 00 72 00 74 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.R.e.p.o.r.t.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 98 3c 00 47 00 75 00 69 00 64 00 3e 00 39 00 31 00 65 00 62 00 61 00 32 00 63 00 63 00 2d 00 33 00 32 00 36 00 64 00 2d 00 34 00 33 00 35 00 62 00 2d 00 61 00 31 00 37 00 35 00 2d 00 39 00 63 00 37 00 35 00 62 00 63 00 32 00 31 00 64 00 63 00 66 00 36 00 3c 00 2f 00 47 00 75 00 69 00 64 00 3e 00
<.G.u.i.d.>.9.1.e.b.a.2.c.c.-.3.2.6.d.-.4.3.5.b.-.a.1.7.5.-.9.c.7.5.b.c.2.1.d.c.f.6.<./.G.u.i.d.>.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 85 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 98 3c 00 43 00 72 00 65 00 61 00 74 00 69 00 6f 00 6e 00 54 00 69 00 6d 00 65 00 3e 00 32 00 30 00 32 00 30 00 2d 00 30 00 36 00 2d 00 31 00 33 00 54 00 30 00 32 00 3a 00 32 00 31 00 3a 00 33 00 34 00 5a 00 3c 00 2f 00 43 00 72 00 65 00 61 00 74 00 69 00 6f 00 6e 00 54 00 69 00 6d 00 65 00 3e 00
<.C.r.e.a.t.i.o.n.T.i.m.e.>.2.0.2.0.-.0.6.-.1.3.T.0.2.:.2.1.:.3.4.Z.<./.C.r.e.a.t.i.o.n.T.i.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 52 00 65 00 70 00 6f 00 72 00 74 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.R.e.p.o.r.t.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4246.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 57 00 45 00 52 00 52 00 65 00 70 00 6f 00 72 00 74 00 4d 00 65 00 74 00 61 00 64 00 61 00 74 00 61 00 3e 00
<./.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42F3.tmp.xml
unknown 4574 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 79 65 73 22 3f 3e 0d 0a 3c 72 65 71 20 76 65 72 3d 22 32 22 3e 0d 0a 20 20 3c 74 6c 6d 3e 0d 0a 20 20 20 20 3c 73 72 63 3e 0d 0a 20 20 20 20 20 20 3c 64 65 73 63 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 61 63 68 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 6f 73 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 72 67 20 6e 6d 3d 22 76 65 72 6d 61 6a 22 20 76 61 6c 3d 22 31 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 72 67 20 6e 6d 3d 22 76 65 72 6d 69 6e 22 20 76 61 6c 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 72 67 20 6e 6d 3d 22 76 65 72 62 6c 64 22 20 76 61 6c 3d 22
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_12b34477\Report.wer
unknown 2 ff fe .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_12b34477\Report.wer
unknown 22 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 31 00 0d 00 0a 00
V.e.r.s.i.o.n.=.1..... success or wait 288 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 86 of 113
Registry ActivitiesRegistry Activities
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_12b34477\Report.wer
unknown 46 4d 00 65 00 74 00 61 00 64 00 61 00 74 00 61 00 48 00 61 00 73 00 68 00 3d 00 31 00 34 00 39 00 39 00 31 00 33 00 37 00 34 00 34 00 31 00
M.e.t.a.d.a.t.a.H.a.s.h.=.1.4.9.9.1.3.7.4.4.1.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Key Path Completion CountSourceAddress Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a success or wait 1 64BC36BF unknown
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug success or wait 1 64BC1FB2 RegCreateKeyExW
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 64BA43D1 unknown
Key Path Name Type Data Completion CountSourceAddress Symbol
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile
WritePermissionsCheck dword 1 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile
ProviderSyncId unicode {c77f63cc-93fb-4630-b248-f186b0a9dc97}
success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
ProgramId unicode 0006264323c240c3ac04a368779ffccdfdb300000000
success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
FileId unicode 0000a7117f414fe09e348903ed619a02b0c659711a62
success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
LowerCaseLongPath unicode c:\program files (x86)\microsoft office\root\office16\excel.exe
success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
LongPathHash unicode excel.exe|d697219a success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
Name unicode EXCEL.EXE success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
Publisher unicode microsoft corporation success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
Version unicode 16.0.11001.20108 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
BinFileVersion unicode 16.0.11001.20108 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
BinaryType unicode pe32_i386 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
ProductName unicode microsoft office success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
ProductVersion unicode 16.0.11001.20108 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
LinkDate unicode 11/12/2018 02:39:06 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
BinProductVersion unicode 16.0.11001.20108 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
Size B 18 29 9D 02 00 00 00 00 success or wait 1 64BC36BF unknown
Key CreatedKey Created
Key Value CreatedKey Value Created
Copyright null 2020 Page 87 of 113
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
Language dword 0 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
IsPeFile dword 1 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
IsOsComponent dword 0 success or wait 1 64BC36BF unknown
\REGISTRY\A\{02e1dbea-cb29-7acb-f87d-d24758c6644c}\Root\InventoryApplicationFile\excel.exe|d697219a
Usn B F0 39 3D 07 00 00 00 00 success or wait 1 64BC36BF unknown
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord binary 05 00 00 C0 00 00 00 00 00 00 00 00 90 FF 4B 77 02 00 00 00 00 00 00 00 00 00 A8 F3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
success or wait 1 64BC1FE8 RegSetValueExW
Key Path Name Type Data Completion CountSourceAddress Symbol
Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
unicode array
\??\C:\Program Files (x86)\Google\Update\1.3.34.11
\??\C:\Program Files (x86)\Google\Update\1.3.34.11\??\C:\Windows\AppCompat\Programs\Amcache.hve.tmp!\??\C:\Windows\AppCompat\Programs\Amcache.hve
success or wait 1 64BC36BF unknown
File ActivitiesFile Activities
Start time: 19:22:29
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 4520
Imagebase: 0xa10000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\DBG read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 64BB1717 unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
Key Value ModifiedKey Value Modified
Analysis Process: WerFault.exe PID: 4664 Parent PID: 5416Analysis Process: WerFault.exe PID: 4664 Parent PID: 5416
General
File CreatedFile Created
Copyright null 2020 Page 88 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2515.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2515.tmp.xml read attributes | synchronize | generic read | generic write
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_126c269a
read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_126c269a\Report.wer
read attributes | synchronize | generic write
device synchronous io non alert | non directory file
success or wait 1 64BA497A unknown
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Completion CountSourceAddress Symbol
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2515.tmp success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2515.tmp.xml success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2508.tmp.csv success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER268F.tmp.txt success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 32 4d 44 4d 50 93 a7 ee a0 0f 00 00 00 20 00 00 00 00 00 00 00 67 38 e4 5e a4 05 12 00 00 00 00 00
MDMP........ .......g8.^........ success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 6 00 00 00 00 00 00 ...... success or wait 1 64BA497A unknown
File DeletedFile Deleted
File WrittenFile Written
Copyright null 2020 Page 89 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 1420 00 00 06 00 02 3f 04 01 0a 00 00 00 00 00 00 00 ee 42 00 00 02 00 00 00 ac 54 00 00 00 01 00 00 47 65 6e 75 69 6e 65 49 6e 74 65 6c f2 06 03 00 ff fb 8b 17 00 00 00 00 54 05 00 00 f7 03 00 00 28 15 00 00 cc 37 e4 5e 05 00 00 00 3a 00 00 00 a4 0d 00 00 a4 0d 00 00 a4 0d 00 00 01 00 00 00 01 00 00 00 00 30 00 00 0d 00 00 00 00 00 00 00 02 00 00 00 e0 01 00 00 50 00 61 00 63 00 69 00 66 00 69 00 63 00 20 00 53 00 74 00 61 00 6e 00 64 00 61 00 72 00 64 00 20 00 54 00 69 00 6d 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00 01 00 02 00 00 00 00 00 00 00 00 00 00 00 50 00 61 00 63 00 69 00 66 00 69 00 63 00 20 00 44 00 61 00 79 00 6c 00 69 00 67 00 68 00 74 00 20 00 54 00 69 00 6d 00 65 00 00 00 00 00 00 00 00 00 00
.....?...........B.......T....
..GenuineIntel............T...
....(....7.^....:.............
...........0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e..........
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 716 7f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa 2b 00 00 00 53 00 00 00 2b 00 00 00 2b 00 00 00 c8 53 25 1b 00 00 a8 f3 00 00 00 00 c8 53 25 1b 11 00 00 00 11 00 00 00 c0 f5 90 19 90 ff 4b 77 23 00 00 00 86 02 01 00 88 f5 90 19 2b 00 00 00 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
..............................
..............................
..............................
..............................
....................+...S...+.
..+....S%..........S%.........
......Kw#...........+.........
..............................
...............
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 90 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 168 f0 17 00 00 00 00 00 00 05 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 90 ff 4b 77 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 f3 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc 02 00 00 70 69 00 00
..........................Kw..
..............................
..............................
..............................
..............................
..............pi..
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 20 d9 00 00 00 e0 73 d0 03 00 00 00 00 04 00 00 00 54 c5 00 00
.....s..........T... success or wait 217 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 4 44 24 89 6d D$.m success or wait 216 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 4 74 99 3b 6d t.;m success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 4 1b 00 00 00 .... success or wait 27 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 716 3f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa 2b 00 00 00 53 00 00 00 2b 00 00 00 2b 00 00 00 aa aa aa aa aa aa aa aa 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 b7 96 03 9c 2b cf 76 23 00 00 00 06 02 00 00 5c b6 96 03 2b 00 00 00 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa
?...........................................................................................................................................+...S...+...+................................+.v#.......\...+......................................................
success or wait 27 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 48 f0 17 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 f0 6b 03 00 00 00 00 6c ee 90 19 00 00 00 00 94 11 00 00 21 0b 03 00 cc 02 00 00 f4 b4 00 00
........ .........k.....l.....
......!...........success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 4 a4 00 00 00 .... success or wait 164 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 24 12 00 00 00 45 00 58 00 43 00 45 00 4c 00 2e 00 45 00 58 00 45 00 00 00
....E.X.C.E.L...E.X.E... success or wait 164 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 91 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 120 00 00 a8 03 00 00 00 00 00 c0 04 00 00 00 00 00 50 a0 f1 5a 58 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 18 00 00 00 08 00 00 00
................P..ZXh........
..............................
..............................
..............................
success or wait 8 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 54 30 00 00 00 72 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 70 00 6f 00 6c 00 69 00 63 00 79 00 63 00 6c 00 69 00 65 00 6e 00 74 00 2e 00 64 00 6c 00 6c 00 00 00
0...r.e.s.o.u.r.c.e.p.o.l.i.c.y.c.l.i.e.n.t...d.l.l...
success or wait 8 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 668 00 00 9f 64 00 00 00 00 00 00 40 00 69 49 40 00 53 37 f1 3e 48 69 00 00 01 00 0f 00 5a 62 02 00 00 10 00 00 8d ff 07 00 01 00 00 00 ef ff 07 00 00 00 01 00 00 00 01 00 00 00 00 00 ff ff fe 7f 00 00 00 00 0f 00 00 00 00 00 00 00 04 00 00 00 00 20 4c 00 00 00 00 00 00 20 74 02 00 00 00 00 71 e6 02 00 00 01 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 74 94 03 00 00 00 00 00 95 33 04 00 00 00 00 00 35 b6 01 00 00 00 00 00 58 1d 1b 00 00 00 00 00 e8 e1 04 00 00 00 00 00 40 ff 1f 00 00 00 00 00 e0 51 06 00 00 00 00 00 c0 1f 26 26 01 00 00 00 65 04 48 4b 00 00 00 00 93 4d 09 23 00 00 00 00 59 4f d0 03 00 00 00 00 69 79 08 00 62 82 05 00 55 f3 05 00 2e 55 05 00 e8 e1 04 00 8d ff 10 00 e0 51 06 00 4e 65 42 00 75 dd 01 00 59 2e 1f 00 00 00 00 00 44 00 22 00 d1 8a 05
[email protected]@.S7.>Hi......Zb
..............................
..................... L...... t.....q...................t........3......5.......X...............@........Q........&&....e.HK.....M.#....YO......iy..b...U....U...........Q..NeB.u...Y.......D."....
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 92 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 82898 06 00 00 00 4b 00 65 00 79 00 00 00 06 00 00 00 4b 00 65 00 79 00 00 00 0a 00 00 00 45 00 76 00 65 00 6e 00 74 00 00 00 00 00 00 00 06 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 28 00 00 00 57 00 61 00 69 00 74 00 43 00 6f 00 6d 00 70 00 6c 00 65 00 74 00 69 00 6f 00 6e 00 50 00 61 00 63 00 6b 00 65 00 74 00 00 00 18 00 00 00 49 00 6f 00 43 00 6f 00 6d 00 70 00 6c 00 65 00 74 00 69 00 6f 00 6e 00 00 00 1e 00 00 00 54 00 70 00 57 00 6f 00 72 00 6b 00 65 00 72 00 46 00 61 00 63 00 74 00 6f 00 72 00 79 00 00 00 0e 00 00 00 49 00 52 00 54 00 69 00 6d 00 65 00 72 00 00 00 28 00 00 00 57 00 61 00 69 00 74 00 43 00 6f 00 6d 00 70 00 6c 00 65 00 74 00 69 00 6f 00 6e 00 50 00 61 00 63 00 6b 00 65 00 74 00 00 00 0e 00 00 00 49 00 52 00 54 00 69 00 6d 00 65 00 72
....K.e.y.......K.e.y.......E.v.e.n.t.......................(...W.a.i.t.C.o.m.p.l.e.t.i.o.n.P.a.c.k.e.t.......I.o.C.o.m.p.l.e.t.i.o.n.......T.p.W.o.r.k.e.r.F.a.c.t.o.r.y.......I.R.T.i.m.e.r...(...W.a.i.t.C.o.m.p.l.e.t.i.o.n.P.a.c.k.e.t.......I.R.T.i.m.e.r
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ED9.tmp.dmp
unknown 120 03 00 00 00 14 05 00 00 08 07 00 00 04 00 00 00 34 45 00 00 28 0c 00 00 0e 00 00 00 cc 00 00 00 5c 51 00 00 05 00 00 00 94 0d 00 00 c0 b7 00 00 06 00 00 00 a8 00 00 00 60 06 00 00 07 00 00 00 38 00 00 00 d4 00 00 00 0f 00 00 00 54 05 00 00 0c 01 00 00 0c 00 00 00 e8 c7 00 00 bb fc 03 00 15 00 00 00 ec 01 00 00 28 52 00 00 16 00 00 00 98 00 00 00 14 54 00 00
................4E..(.........
..\Q......................`...
....8...........T.............
..............(R...........T..
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 ff fe .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 78 3c 00 3f 00 78 00 6d 00 6c 00 20 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 22 00 31 00 2e 00 30 00 22 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 3d 00 22 00 55 00 54 00 46 00 2d 00 31 00 36 00 22 00 3f 00 3e 00
<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 38 3c 00 57 00 45 00 52 00 52 00 65 00 70 00 6f 00 72 00 74 00 4d 00 65 00 74 00 61 00 64 00 61 00 74 00 61 00 3e 00
<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 93 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 44 3c 00 4f 00 53 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 82 3c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 4e 00 54 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3e 00 31 00 30 00 2e 00 30 00 3c 00 2f 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 4e 00 54 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3e 00
<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 40 3c 00 42 00 75 00 69 00 6c 00 64 00 3e 00 31 00 37 00 31 00 33 00 34 00 3c 00 2f 00 42 00 75 00 69 00 6c 00 64 00 3e 00
<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 82 3c 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 3e 00 28 00 30 00 78 00 33 00 30 00 29 00 3a 00 20 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 31 00 30 00 20 00 50 00 72 00 6f 00 3c 00 2f 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 3e 00
<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 62 3c 00 45 00 64 00 69 00 74 00 69 00 6f 00 6e 00 3e 00 50 00 72 00 6f 00 66 00 65 00 73 00 73 00 69 00 6f 00 6e 00 61 00 6c 00 3c 00 2f 00 45 00 64 00 69 00 74 00 69 00 6f 00 6e 00 3e 00
<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 94 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 138 3c 00 42 00 75 00 69 00 6c 00 64 00 53 00 74 00 72 00 69 00 6e 00 67 00 3e 00 31 00 37 00 31 00 33 00 34 00 2e 00 31 00 36 00 35 00 2e 00 61 00 6d 00 64 00 36 00 34 00 66 00 72 00 65 00 2e 00 72 00 73 00 34 00 5f 00 72 00 65 00 6c 00 65 00 61 00 73 00 65 00 2e 00 31 00 38 00 30 00 34 00 31 00 30 00 2d 00 31 00 38 00 30 00 34 00 3c 00 2f 00 42 00 75 00 69 00 6c 00 64 00 53 00 74 00 72 00 69 00 6e 00 67 00 3e 00
<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1.6.5...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 48 3c 00 52 00 65 00 76 00 69 00 73 00 69 00 6f 00 6e 00 3e 00 31 00 36 00 35 00 3c 00 2f 00 52 00 65 00 76 00 69 00 73 00 69 00 6f 00 6e 00 3e 00
<.R.e.v.i.s.i.o.n.>.1.6.5.<./.R.e.v.i.s.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 72 3c 00 46 00 6c 00 61 00 76 00 6f 00 72 00 3e 00 4d 00 75 00 6c 00 74 00 69 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 6f 00 72 00 20 00 46 00 72 00 65 00 65 00 3c 00 2f 00 46 00 6c 00 61 00 76 00 6f 00 72 00 3e 00
<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 64 3c 00 41 00 72 00 63 00 68 00 69 00 74 00 65 00 63 00 74 00 75 00 72 00 65 00 3e 00 58 00 36 00 34 00 3c 00 2f 00 41 00 72 00 63 00 68 00 69 00 74 00 65 00 63 00 74 00 75 00 72 00 65 00 3e 00
<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 34 3c 00 4c 00 43 00 49 00 44 00 3e 00 31 00 30 00 33 00 33 00 3c 00 2f 00 4c 00 43 00 49 00 44 00 3e 00
<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 46 3c 00 2f 00 4f 00 53 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 95 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 40 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 30 3c 00 50 00 69 00 64 00 3e 00 35 00 34 00 31 00 36 00 3c 00 2f 00 50 00 69 00 64 00 3e 00
<.P.i.d.>.5.4.1.6.<./.P.i.d.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 64 3c 00 49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 3e 00 45 00 58 00 43 00 45 00 4c 00 2e 00 45 00 58 00 45 00 3c 00 2f 00 49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 3e 00
<.I.m.a.g.e.N.a.m.e.>.E.X.C.E.L...E.X.E.<./.I.m.a.g.e.N.a.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 90 3c 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 3e 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 3c 00 2f 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 3e 00
<.C.m.d.L.i.n.e.S.i.g.n.a.t.u.r.e.>.0.0.0.0.0.0.0.0.<./.C.m.d.L.i.n.e.S.i.g.n.a.t.u.r.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 46 3c 00 55 00 70 00 74 00 69 00 6d 00 65 00 3e 00 31 00 35 00 35 00 37 00 38 00 38 00 3c 00 2f 00 55 00 70 00 74 00 69 00 6d 00 65 00 3e 00
<.U.p.t.i.m.e.>.1.5.5.7.8.8.<./.U.p.t.i.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 82 3c 00 57 00 6f 00 77 00 36 00 34 00 20 00 67 00 75 00 65 00 73 00 74 00 3d 00 22 00 33 00 33 00 32 00 22 00 20 00 68 00 6f 00 73 00 74 00 3d 00 22 00 33 00 34 00 34 00 30 00 34 00 22 00 3e 00 31 00 3c 00 2f 00 57 00 6f 00 77 00 36 00 34 00 3e 00
<.W.o.w.6.4. .g.u.e.s.t.=.".3.3.2.". .h.o.s.t.=.".3.4.4.0.4.".>.1.<./.W.o.w.6.4.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 96 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 52 3c 00 49 00 70 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00 30 00 3c 00 2f 00 49 00 70 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00
<.I.p.t.E.n.a.b.l.e.d.>.0.<./.I.p.t.E.n.a.b.l.e.d.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 44 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 56 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.P.r.o.c.e.s.s.V.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 88 3c 00 50 00 65 00 61 00 6b 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00 37 00 31 00 30 00 32 00 35 00 38 00 36 00 38 00 38 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00
<.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.>.7.1.0.2.5.8.6.8.8.<./.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 72 3c 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00 36 00 38 00 39 00 33 00 31 00 39 00 39 00 33 00 36 00 3c 00 2f 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00
<.V.i.r.t.u.a.l.S.i.z.e.>.6.8.9.3.1.9.9.3.6.<./.V.i.r.t.u.a.l.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 76 3c 00 50 00 61 00 67 00 65 00 46 00 61 00 75 00 6c 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3e 00 37 00 33 00 39 00 39 00 39 00 3c 00 2f 00 50 00 61 00 67 00 65 00 46 00 61 00 75 00 6c 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3e 00
<.P.a.g.e.F.a.u.l.t.C.o.u.n.t.>.7.3.9.9.9.<./.P.a.g.e.F.a.u.l.t.C.o.u.n.t.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 97 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 100 3c 00 50 00 65 00 61 00 6b 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00 31 00 35 00 36 00 34 00 39 00 31 00 37 00 37 00 36 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00
<.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.1.5.6.4.9.1.7.7.6.<./.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 82 3c 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00 35 00 35 00 30 00 39 00 35 00 32 00 39 00 36 00 3c 00 2f 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00
<.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.5.5.0.9.5.2.9.6.<./.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 116 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 31 00 36 00 39 00 31 00 33 00 36 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.1.1.6.9.1.3.6.<./.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 100 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 31 00 33 00 35 00 32 00 33 00 32 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.1.1.3.5.2.3.2.<./.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 98 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 126 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 36 00 37 00 30 00 31 00 35 00 32 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.6.7.0.1.5.2.<./.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 110 3c 00 51 00 75 00 6f 00 74 00 61 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 36 00 36 00 39 00 37 00 34 00 34 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.6.6.9.7.4.4.<./.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 80 3c 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 30 00 30 00 34 00 33 00 38 00 30 00 31 00 36 00 3c 00 2f 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.a.g.e.f.i.l.e.U.s.a.g.e.>.1.0.0.4.3.8.0.1.6.<./.P.a.g.e.f.i.l.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 96 3c 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 31 00 32 00 30 00 38 00 37 00 30 00 34 00 30 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.>.1.1.2.0.8.7.0.4.0.<./.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 99 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 76 3c 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 31 00 30 00 30 00 34 00 33 00 38 00 30 00 31 00 36 00 3c 00 2f 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.r.i.v.a.t.e.U.s.a.g.e.>.1.0.0.4.3.8.0.1.6.<./.P.r.i.v.a.t.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 46 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 56 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.P.r.o.c.e.s.s.V.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 30 3c 00 50 00 61 00 72 00 65 00 6e 00 74 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 3e 00
<.P.a.r.e.n.t.P.r.o.c.e.s.s.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 40 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 28 3c 00 50 00 69 00 64 00 3e 00 37 00 30 00 30 00 3c 00 2f 00 50 00 69 00 64 00 3e 00
<.P.i.d.>.7.0.0.<./.P.i.d.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 68 3c 00 49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 3e 00 73 00 76 00 63 00 68 00 6f 00 73 00 74 00 2e 00 65 00 78 00 65 00 3c 00 2f 00 49 00 6d 00 61 00 67 00 65 00 4e 00 61 00 6d 00 65 00 3e 00
<.I.m.a.g.e.N.a.m.e.>.s.v.c.h.o.s.t...e.x.e.<./.I.m.a.g.e.N.a.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 90 3c 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 3e 00 38 00 30 00 30 00 30 00 34 00 30 00 30 00 35 00 3c 00 2f 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 3e 00
<.C.m.d.L.i.n.e.S.i.g.n.a.t.u.r.e.>.8.0.0.0.4.0.0.5.<./.C.m.d.L.i.n.e.S.i.g.n.a.t.u.r.e.>.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 100 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 48 3c 00 55 00 70 00 74 00 69 00 6d 00 65 00 3e 00 35 00 35 00 31 00 32 00 38 00 36 00 37 00 3c 00 2f 00 55 00 70 00 74 00 69 00 6d 00 65 00 3e 00
<.U.p.t.i.m.e.>.5.5.1.2.8.6.7.<./.U.p.t.i.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 78 3c 00 57 00 6f 00 77 00 36 00 34 00 20 00 67 00 75 00 65 00 73 00 74 00 3d 00 22 00 30 00 22 00 20 00 68 00 6f 00 73 00 74 00 3d 00 22 00 33 00 34 00 34 00 30 00 34 00 22 00 3e 00 30 00 3c 00 2f 00 57 00 6f 00 77 00 36 00 34 00 3e 00
<.W.o.w.6.4. .g.u.e.s.t.=.".0.". .h.o.s.t.=.".3.4.4.0.4.".>.0.<./.W.o.w.6.4.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 52 3c 00 49 00 70 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00 30 00 3c 00 2f 00 49 00 70 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00
<.I.p.t.E.n.a.b.l.e.d.>.0.<./.I.p.t.E.n.a.b.l.e.d.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 44 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 56 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.P.r.o.c.e.s.s.V.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 90 3c 00 50 00 65 00 61 00 6b 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00 34 00 32 00 39 00 34 00 39 00 36 00 37 00 32 00 39 00 35 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00
<.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.>.4.2.9.4.9.6.7.2.9.5.<./.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 101 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 74 3c 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00 34 00 32 00 39 00 34 00 39 00 36 00 37 00 32 00 39 00 35 00 3c 00 2f 00 56 00 69 00 72 00 74 00 75 00 61 00 6c 00 53 00 69 00 7a 00 65 00 3e 00
<.V.i.r.t.u.a.l.S.i.z.e.>.4.2.9.4.9.6.7.2.9.5.<./.V.i.r.t.u.a.l.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 76 3c 00 50 00 61 00 67 00 65 00 46 00 61 00 75 00 6c 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3e 00 31 00 35 00 30 00 32 00 30 00 3c 00 2f 00 50 00 61 00 67 00 65 00 46 00 61 00 75 00 6c 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3e 00
<.P.a.g.e.F.a.u.l.t.C.o.u.n.t.>.1.5.0.2.0.<./.P.a.g.e.F.a.u.l.t.C.o.u.n.t.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 98 3c 00 50 00 65 00 61 00 6b 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00 32 00 30 00 34 00 35 00 31 00 33 00 32 00 38 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00
<.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.2.0.4.5.1.3.2.8.<./.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 80 3c 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00 33 00 31 00 31 00 37 00 30 00 35 00 36 00 3c 00 2f 00 57 00 6f 00 72 00 6b 00 69 00 6e 00 67 00 53 00 65 00 74 00 53 00 69 00 7a 00 65 00 3e 00
<.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.3.1.1.7.0.5.6.<./.W.o.r.k.i.n.g.S.e.t.S.i.z.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 114 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 35 00 30 00 33 00 32 00 34 00 30 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.5.0.3.2.4.0.<./.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 102 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 98 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 34 00 32 00 34 00 36 00 34 00 30 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.4.2.4.6.4.0.<./.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 124 3c 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 32 00 34 00 38 00 39 00 36 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 50 00 65 00 61 00 6b 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.2.4.8.9.6.<./.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 108 3c 00 51 00 75 00 6f 00 74 00 61 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00 32 00 33 00 34 00 30 00 38 00 3c 00 2f 00 51 00 75 00 6f 00 74 00 61 00 4e 00 6f 00 6e 00 50 00 61 00 67 00 65 00 64 00 50 00 6f 00 6f 00 6c 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.2.3.4.0.8.<./.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 76 3c 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 38 00 32 00 31 00 32 00 34 00 38 00 30 00 3c 00 2f 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.a.g.e.f.i.l.e.U.s.a.g.e.>.8.2.1.2.4.8.0.<./.P.a.g.e.f.i.l.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 103 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 92 3c 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 38 00 34 00 37 00 34 00 36 00 32 00 34 00 3c 00 2f 00 50 00 65 00 61 00 6b 00 50 00 61 00 67 00 65 00 66 00 69 00 6c 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.>.8.4.7.4.6.2.4.<./.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 5 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 72 3c 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00 38 00 32 00 31 00 32 00 34 00 38 00 30 00 3c 00 2f 00 50 00 72 00 69 00 76 00 61 00 74 00 65 00 55 00 73 00 61 00 67 00 65 00 3e 00
<.P.r.i.v.a.t.e.U.s.a.g.e.>.8.2.1.2.4.8.0.<./.P.r.i.v.a.t.e.U.s.a.g.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 4 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 46 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 56 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.P.r.o.c.e.s.s.V.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 42 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 32 3c 00 2f 00 50 00 61 00 72 00 65 00 6e 00 74 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 3e 00
<./.P.a.r.e.n.t.P.r.o.c.e.s.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 42 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 38 3c 00 50 00 72 00 6f 00 62 00 6c 00 65 00 6d 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 73 00 3e 00
<.P.r.o.b.l.e.m.S.i.g.n.a.t.u.r.e.s.>.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 104 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 62 3c 00 45 00 76 00 65 00 6e 00 74 00 54 00 79 00 70 00 65 00 3e 00 41 00 50 00 50 00 43 00 52 00 41 00 53 00 48 00 3c 00 2f 00 45 00 76 00 65 00 6e 00 74 00 54 00 79 00 70 00 65 00 3e 00
<.E.v.e.n.t.T.y.p.e.>.A.P.P.C.R.A.S.H.<./.E.v.e.n.t.T.y.p.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 8 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 16 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 68 3c 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 30 00 3e 00 45 00 58 00 43 00 45 00 4c 00 2e 00 45 00 58 00 45 00 3c 00 2f 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 30 00 3e 00
<.P.a.r.a.m.e.t.e.r.0.>.E.X.C.E.L...E.X.E.<./.P.a.r.a.m.e.t.e.r.0.>.
success or wait 8 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 50 00 72 00 6f 00 62 00 6c 00 65 00 6d 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 73 00 3e 00
<./.P.r.o.b.l.e.m.S.i.g.n.a.t.u.r.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 38 3c 00 44 00 79 00 6e 00 61 00 6d 00 69 00 63 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 73 00 3e 00
<.D.y.n.a.m.i.c.S.i.g.n.a.t.u.r.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 6 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 12 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 96 3c 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 31 00 3e 00 31 00 30 00 2e 00 30 00 2e 00 31 00 37 00 31 00 33 00 34 00 2e 00 32 00 2e 00 30 00 2e 00 30 00 2e 00 32 00 35 00 36 00 2e 00 34 00 38 00 3c 00 2f 00 50 00 61 00 72 00 61 00 6d 00 65 00 74 00 65 00 72 00 31 00 3e 00
<.P.a.r.a.m.e.t.e.r.1.>.1.0...0...1.7.1.3.4...2...0...0...2.5.6...4.8.<./.P.a.r.a.m.e.t.e.r.1.>.
success or wait 6 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 44 00 79 00 6e 00 61 00 6d 00 69 00 63 00 53 00 69 00 67 00 6e 00 61 00 74 00 75 00 72 00 65 00 73 00 3e 00
<./.D.y.n.a.m.i.c.S.i.g.n.a.t.u.r.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 105 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 38 3c 00 53 00 79 00 73 00 74 00 65 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.S.y.s.t.e.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 94 3c 00 4d 00 49 00 44 00 3e 00 45 00 33 00 38 00 42 00 36 00 30 00 42 00 33 00 2d 00 35 00 46 00 46 00 41 00 2d 00 34 00 46 00 38 00 38 00 2d 00 41 00 41 00 35 00 38 00 2d 00 43 00 44 00 44 00 34 00 39 00 37 00 45 00 37 00 43 00 42 00 32 00 32 00 3c 00 2f 00 4d 00 49 00 44 00 3e 00
<.M.I.D.>.E.3.8.B.6.0.B.3.-.5.F.F.A.-.4.F.8.8.-.A.A.5.8.-.C.D.D.4.9.7.E.7.C.B.2.2.<./.M.I.D.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 106 3c 00 53 00 79 00 73 00 74 00 65 00 6d 00 4d 00 61 00 6e 00 75 00 66 00 61 00 63 00 74 00 75 00 72 00 65 00 72 00 3e 00 61 00 6a 00 67 00 63 00 71 00 67 00 68 00 20 00 47 00 6d 00 62 00 48 00 3c 00 2f 00 53 00 79 00 73 00 74 00 65 00 6d 00 4d 00 61 00 6e 00 75 00 66 00 61 00 63 00 74 00 75 00 72 00 65 00 72 00 3e 00
<.S.y.s.t.e.m.M.a.n.u.f.a.c.t.u.r.e.r.>.a.j.g.c.q.g.h. .G.m.b.H.<./.S.y.s.t.e.m.M.a.n.u.f.a.c.t.u.r.e.r.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 98 3c 00 53 00 79 00 73 00 74 00 65 00 6d 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 3e 00 70 00 6c 00 78 00 63 00 6b 00 6b 00 6a 00 65 00 6c 00 63 00 3c 00 2f 00 53 00 79 00 73 00 74 00 65 00 6d 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 3e 00
<.S.y.s.t.e.m.P.r.o.d.u.c.t.N.a.m.e.>.p.l.x.c.k.k.j.e.l.c.<./.S.y.s.t.e.m.P.r.o.d.u.c.t.N.a.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 74 3c 00 42 00 49 00 4f 00 53 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3e 00 70 00 6c 00 78 00 63 00 6b 00 6b 00 6a 00 65 00 6c 00 63 00 3c 00 2f 00 42 00 49 00 4f 00 53 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3e 00
<.B.I.O.S.V.e.r.s.i.o.n.>.p.l.x.c.k.k.j.e.l.c.<./.B.I.O.S.V.e.r.s.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 106 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 82 3c 00 4f 00 53 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 44 00 61 00 74 00 65 00 3e 00 31 00 35 00 35 00 38 00 31 00 32 00 33 00 36 00 31 00 36 00 3c 00 2f 00 4f 00 53 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 44 00 61 00 74 00 65 00 3e 00
<.O.S.I.n.s.t.a.l.l.D.a.t.e.>.1.5.5.8.1.2.3.6.1.6.<./.O.S.I.n.s.t.a.l.l.D.a.t.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 102 3c 00 4f 00 53 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 54 00 69 00 6d 00 65 00 3e 00 32 00 30 00 31 00 38 00 2d 00 30 00 37 00 2d 00 31 00 32 00 54 00 30 00 39 00 3a 00 30 00 32 00 3a 00 35 00 36 00 5a 00 3c 00 2f 00 4f 00 53 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 54 00 69 00 6d 00 65 00 3e 00
<.O.S.I.n.s.t.a.l.l.T.i.m.e.>.2.0.1.8.-.0.7.-.1.2.T.0.9.:.0.2.:.5.6.Z.<./.O.S.I.n.s.t.a.l.l.T.i.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 68 3c 00 54 00 69 00 6d 00 65 00 5a 00 6f 00 6e 00 65 00 42 00 69 00 61 00 73 00 3e 00 30 00 38 00 3a 00 30 00 30 00 3c 00 2f 00 54 00 69 00 6d 00 65 00 5a 00 6f 00 6e 00 65 00 42 00 69 00 61 00 73 00 3e 00
<.T.i.m.e.Z.o.n.e.B.i.a.s.>.0.8.:.0.0.<./.T.i.m.e.Z.o.n.e.B.i.a.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 53 00 79 00 73 00 74 00 65 00 6d 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.S.y.s.t.e.m.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 34 3c 00 53 00 65 00 63 00 75 00 72 00 65 00 42 00 6f 00 6f 00 74 00 53 00 74 00 61 00 74 00 65 00 3e 00
<.S.e.c.u.r.e.B.o.o.t.S.t.a.t.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 107 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 114 3c 00 55 00 45 00 46 00 49 00 53 00 65 00 63 00 75 00 72 00 65 00 42 00 6f 00 6f 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00 4e 00 6f 00 74 00 43 00 61 00 70 00 61 00 62 00 6c 00 65 00 3c 00 2f 00 55 00 45 00 46 00 49 00 53 00 65 00 63 00 75 00 72 00 65 00 42 00 6f 00 6f 00 74 00 45 00 6e 00 61 00 62 00 6c 00 65 00 64 00 3e 00
<.U.E.F.I.S.e.c.u.r.e.B.o.o.t.E.n.a.b.l.e.d.>.N.o.t.C.a.p.a.b.l.e.<./.U.E.F.I.S.e.c.u.r.e.B.o.o.t.E.n.a.b.l.e.d.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 36 3c 00 2f 00 53 00 65 00 63 00 75 00 72 00 65 00 42 00 6f 00 6f 00 74 00 53 00 74 00 61 00 74 00 65 00 3e 00
<./.S.e.c.u.r.e.B.o.o.t.S.t.a.t.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 24 3c 00 49 00 6e 00 74 00 65 00 67 00 72 00 61 00 74 00 6f 00 72 00 3e 00
<.I.n.t.e.g.r.a.t.o.r.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 6 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 46 3c 00 46 00 6c 00 61 00 67 00 73 00 3e 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 42 00 3c 00 2f 00 46 00 6c 00 61 00 67 00 73 00 3e 00
<.F.l.a.g.s.>.0.0.0.0.0.0.0.B.<./.F.l.a.g.s.>.
success or wait 3 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 26 3c 00 2f 00 49 00 6e 00 74 00 65 00 67 00 72 00 61 00 74 00 6f 00 72 00 3e 00
<./.I.n.t.e.g.r.a.t.o.r.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 100 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 54 00 69 00 6d 00 65 00 6c 00 69 00 6e 00 65 00 73 00 20 00 42 00 61 00 73 00 65 00 54 00 69 00 6d 00 65 00 3d 00 22 00 32 00 30 00 32 00 30 00 2d 00 30 00 36 00 2d 00 31 00 33 00 54 00 30 00 32 00 3a 00 32 00 32 00 3a 00 33 00 32 00 5a 00 22 00 3e 00
<.P.r.o.c.e.s.s.T.i.m.e.l.i.n.e.s. .B.a.s.e.T.i.m.e.=.".2.0.2.0.-.0.6.-.1.3.T.0.2.:.2.2.:.3.2.Z.".>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 108 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 266 3c 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 20 00 41 00 73 00 49 00 64 00 3d 00 22 00 33 00 38 00 36 00 22 00 20 00 50 00 49 00 44 00 3d 00 22 00 35 00 34 00 31 00 36 00 22 00 20 00 55 00 70 00 74 00 69 00 6d 00 65 00 4d 00 53 00 3d 00 22 00 39 00 33 00 30 00 38 00 31 00 22 00 20 00 54 00 69 00 6d 00 65 00 53 00 69 00 6e 00 63 00 65 00 43 00 72 00 65 00 61 00 74 00 69 00 6f 00 6e 00 4d 00 53 00 3d 00 22 00 39 00 33 00 30 00 38 00 31 00 22 00 20 00 53 00 75 00 73 00 70 00 65 00 6e 00 64 00 65 00 64 00 4d 00 53 00 3d 00 22 00 30 00 22 00 20 00 48 00 61 00 6e 00 67 00 43 00 6f 00 75 00 6e 00 74 00 3d 00 22 00 30 00 22 00 20 00 47 00 68 00 6f 00 73 00 74 00 43 00 6f 00 75 00 6e 00 74 00 3d 00 22 00 32 00 22 00 20 00 43 00 72 00 61 00 73 00 68 00 65 00 64
<.P.r.o.c.e.s.s. .A.s.I.d.=.".3.8.6.". .P.I.D.=.".5.4.1.6.". .U.p.t.i.m.e.M.S.=.".9.3.0.8.1.". .T.i.m.e.S.i.n.c.e.C.r.e.a.t.i.o.n.M.S.=.".9.3.0.8.1.". .S.u.s.p.e.n.d.e.d.M.S.=.".0.". .H.a.n.g.C.o.u.n.t.=.".0.". .G.h.o.s.t.C.o.u.n.t.=.".2.". .C.r.a.s.h.e.d
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 20 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 3e 00
<./.P.r.o.c.e.s.s.>. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 38 3c 00 2f 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 54 00 69 00 6d 00 65 00 6c 00 69 00 6e 00 65 00 73 00 3e 00
<./.P.r.o.c.e.s.s.T.i.m.e.l.i.n.e.s.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 38 3c 00 52 00 65 00 70 00 6f 00 72 00 74 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<.R.e.p.o.r.t.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 98 3c 00 47 00 75 00 69 00 64 00 3e 00 35 00 62 00 38 00 30 00 33 00 37 00 38 00 36 00 2d 00 62 00 35 00 66 00 39 00 2d 00 34 00 39 00 66 00 34 00 2d 00 39 00 61 00 34 00 31 00 2d 00 38 00 66 00 35 00 33 00 35 00 35 00 64 00 64 00 32 00 63 00 30 00 32 00 3c 00 2f 00 47 00 75 00 69 00 64 00 3e 00
<.G.u.i.d.>.5.b.8.0.3.7.8.6.-.b.5.f.9.-.4.9.f.4.-.9.a.4.1.-.8.f.5.3.5.5.d.d.2.c.0.2.<./.G.u.i.d.>.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 109 of 113
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 2 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 98 3c 00 43 00 72 00 65 00 61 00 74 00 69 00 6f 00 6e 00 54 00 69 00 6d 00 65 00 3e 00 32 00 30 00 32 00 30 00 2d 00 30 00 36 00 2d 00 31 00 33 00 54 00 30 00 32 00 3a 00 32 00 32 00 3a 00 33 00 32 00 5a 00 3c 00 2f 00 43 00 72 00 65 00 61 00 74 00 69 00 6f 00 6e 00 54 00 69 00 6d 00 65 00 3e 00
<.C.r.e.a.t.i.o.n.T.i.m.e.>.2.0.2.0.-.0.6.-.1.3.T.0.2.:.2.2.:.3.2.Z.<./.C.r.e.a.t.i.o.n.T.i.m.e.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 2 09 00 .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 52 00 65 00 70 00 6f 00 72 00 74 00 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 69 00 6f 00 6e 00 3e 00
<./.R.e.p.o.r.t.I.n.f.o.r.m.a.t.i.o.n.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 4 0d 00 0a 00 .... success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER24A7.tmp.WERInternalMetadata.xml
unknown 40 3c 00 2f 00 57 00 45 00 52 00 52 00 65 00 70 00 6f 00 72 00 74 00 4d 00 65 00 74 00 61 00 64 00 61 00 74 00 61 00 3e 00
<./.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2515.tmp.xml
unknown 4574 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 79 65 73 22 3f 3e 0d 0a 3c 72 65 71 20 76 65 72 3d 22 32 22 3e 0d 0a 20 20 3c 74 6c 6d 3e 0d 0a 20 20 20 20 3c 73 72 63 3e 0d 0a 20 20 20 20 20 20 3c 64 65 73 63 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 61 63 68 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 6f 73 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 72 67 20 6e 6d 3d 22 76 65 72 6d 61 6a 22 20 76 61 6c 3d 22 31 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 72 67 20 6e 6d 3d 22 76 65 72 6d 69 6e 22 20 76 61 6c 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 72 67 20 6e 6d 3d 22 76 65 72 62 6c 64 22 20 76 61 6c 3d 22
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="
success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_126c269a\Report.wer
unknown 2 ff fe .. success or wait 1 64BA497A unknown
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_126c269a\Report.wer
unknown 22 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 31 00 0d 00 0a 00
V.e.r.s.i.o.n.=.1..... success or wait 288 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 110 of 113
Registry ActivitiesRegistry Activities
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_5ba28ef63b8bb90deff13a5945431f4197fe71a_d21a61c2_126c269a\Report.wer
unknown 46 4d 00 65 00 74 00 61 00 64 00 61 00 74 00 61 00 48 00 61 00 73 00 68 00 3d 00 32 00 31 00 32 00 34 00 30 00 38 00 38 00 35 00 36 00 30 00
M.e.t.a.d.a.t.a.H.a.s.h.=.2.1.2.4.0.8.8.5.6.0.
success or wait 1 64BA497A unknown
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Key Path Completion CountSourceAddress Symbol
\REGISTRY\A\{6ecc9da4-3f0b-b0d6-ebba-80b3e1f5b5e8}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 64BC36BF unknown
\REGISTRY\A\{6ecc9da4-3f0b-b0d6-ebba-80b3e1f5b5e8}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 64BC36BF unknown
\REGISTRY\A\{6ecc9da4-3f0b-b0d6-ebba-80b3e1f5b5e8}\Root\InventoryApplicationFile\PermissionsCheckTestKey success or wait 1 64BA43D1 unknown
Start time: 19:22:34
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 3568
Imagebase: 0xa10000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
Start time: 19:25:29
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1172
Imagebase: 0xa10000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
Start time: 19:25:35
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Key CreatedKey Created
Analysis Process: WerFault.exe PID: 4316 Parent PID: 5416Analysis Process: WerFault.exe PID: 4316 Parent PID: 5416
General
Analysis Process: WerFault.exe PID: 5908 Parent PID: 5416Analysis Process: WerFault.exe PID: 5908 Parent PID: 5416
General
Analysis Process: WerFault.exe PID: 956 Parent PID: 5416Analysis Process: WerFault.exe PID: 956 Parent PID: 5416
General
Copyright null 2020 Page 111 of 113
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1460
Imagebase: 0xa10000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
Start time: 19:26:20
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1980
Imagebase: 0xa10000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
Start time: 19:26:24
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 4752
Imagebase: 0x9d0000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
Start time: 19:29:39
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 1168
Imagebase: 0xa10000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
Analysis Process: WerFault.exe PID: 4856 Parent PID: 5416Analysis Process: WerFault.exe PID: 4856 Parent PID: 5416
General
Analysis Process: WerFault.exe PID: 4312 Parent PID: 5416Analysis Process: WerFault.exe PID: 4312 Parent PID: 5416
General
Analysis Process: WerFault.exe PID: 2600 Parent PID: 5416Analysis Process: WerFault.exe PID: 2600 Parent PID: 5416
General
Copyright null 2020 Page 112 of 113
Disassembly
Start time: 19:29:44
Start date: 12/06/2020
Path: C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit): true
Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 2492
Imagebase: 0xa10000
File size: 434584 bytes
MD5 hash: 80E91E3C0F5563E4049B62FCAF5D67AC
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: high
Analysis Process: WerFault.exe PID: 4568 Parent PID: 5416Analysis Process: WerFault.exe PID: 4568 Parent PID: 5416
General
Copyright null 2020 Page 113 of 113