Malware Analysis Report

2025-08-05 11:55

Sample ID 240215-sxjfksaa9s
Target r1522024.exe
SHA256 7e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb
Tags
remcos client collection persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb

Threat Level: Known bad

The file r1522024.exe was found to be: Known bad.

Malicious Activity Summary

remcos client collection persistence rat spyware stealer

Remcos

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-15 15:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 15:30

Reported

2024-02-15 15:32

Platform

win7-20231215-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\r1522024.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\disharmonize\semidivided.ini C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\snlig.ini C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\r1522024.exe

"C:\Users\Admin\AppData\Local\Temp\r1522024.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsyB19.tmp\System.dll

MD5 564bb0373067e1785cba7e4c24aab4bf
SHA1 7c9416a01d821b10b2eef97b80899d24014d6fc1
SHA256 7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA512 22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

C:\Windows\Fonts\snlig.ini

MD5 75285908e15263897f2fe77cc637ef6e
SHA1 cc5a707cae259834b2453a305af9453b7b7412ac
SHA256 6fc175d4186cfb67d46e22b277602aa3ec665ad44c9854e7bdaf0e5a25cefbc5
SHA512 e93afaa0772d9aa9a8d77e44473a5c58cf9f3b214b76d5ed94e08dbc2ae9ef3d67b470073b83c157318bfa67fb44e17833af313efe8ded28e07d55272eb4edb2

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 15:30

Reported

2024-02-15 15:32

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\r1522024.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\ProgramData\images\images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOAGZI = "\"C:\\ProgramData\\images\\images.exe\"" C:\ProgramData\images\images.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Acanthial = "C:\\Users\\Admin\\AppData\\Roaming\\Flockling\\Spkbrtter23.exe" C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOAGZI = "\"C:\\ProgramData\\images\\images.exe\"" C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOAGZI = "\"C:\\ProgramData\\images\\images.exe\"" C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Acanthial = "C:\\Users\\Admin\\AppData\\Roaming\\Flockling\\Spkbrtter23.exe" C:\ProgramData\images\images.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOAGZI = "\"C:\\ProgramData\\images\\images.exe\"" C:\ProgramData\images\images.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3016 set thread context of 3444 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\Users\Admin\AppData\Local\Temp\r1522024.exe
PID 4688 set thread context of 4448 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 set thread context of 3840 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 set thread context of 3548 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 set thread context of 3856 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\disharmonize\semidivided.ini C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
File opened for modification C:\Program Files (x86)\disharmonize\semidivided.ini C:\ProgramData\images\images.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\snlig.ini C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
File opened for modification C:\Windows\Fonts\snlig.ini C:\ProgramData\images\images.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\images\images.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A
N/A N/A C:\ProgramData\images\images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\images\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\Users\Admin\AppData\Local\Temp\r1522024.exe
PID 3016 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\Users\Admin\AppData\Local\Temp\r1522024.exe
PID 3016 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\Users\Admin\AppData\Local\Temp\r1522024.exe
PID 3016 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\Users\Admin\AppData\Local\Temp\r1522024.exe
PID 3016 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\Users\Admin\AppData\Local\Temp\r1522024.exe
PID 3444 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\ProgramData\images\images.exe
PID 3444 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\ProgramData\images\images.exe
PID 3444 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\r1522024.exe C:\ProgramData\images\images.exe
PID 4688 wrote to memory of 4448 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4688 wrote to memory of 4448 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4688 wrote to memory of 4448 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4688 wrote to memory of 4448 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4688 wrote to memory of 4448 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3840 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3840 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3840 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3548 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3548 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3548 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3856 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3856 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe
PID 4448 wrote to memory of 3856 N/A C:\ProgramData\images\images.exe C:\ProgramData\images\images.exe

Processes

C:\Users\Admin\AppData\Local\Temp\r1522024.exe

"C:\Users\Admin\AppData\Local\Temp\r1522024.exe"

C:\Users\Admin\AppData\Local\Temp\r1522024.exe

"C:\Users\Admin\AppData\Local\Temp\r1522024.exe"

C:\ProgramData\images\images.exe

"C:\ProgramData\images\images.exe"

C:\ProgramData\images\images.exe

"C:\ProgramData\images\images.exe"

C:\ProgramData\images\images.exe

C:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\tncqxbmmzzmfplwxobkne"

C:\ProgramData\images\images.exe

C:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\vpibyuxfnhejassbxmxophtw"

C:\ProgramData\images\images.exe

C:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\gkntzmihbpwwcygfowkqruoflmv"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1456

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 37.48.88.177:80 37.48.88.177 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 177.88.48.37.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
NL 37.48.88.177:80 37.48.88.177 tcp
LV 46.183.223.29:2404 tcp
LV 46.183.223.29:2404 tcp
US 8.8.8.8:53 geoplugin.net udp
LV 46.183.223.29:2404 tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 29.223.183.46.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nss4EAD.tmp\System.dll

MD5 564bb0373067e1785cba7e4c24aab4bf
SHA1 7c9416a01d821b10b2eef97b80899d24014d6fc1
SHA256 7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA512 22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

memory/3016-16-0x00000000778A1000-0x00000000779C1000-memory.dmp

memory/3016-17-0x0000000074590000-0x0000000074597000-memory.dmp

memory/3444-18-0x0000000077928000-0x0000000077929000-memory.dmp

memory/3444-19-0x00000000778A1000-0x00000000779C1000-memory.dmp

memory/3444-21-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/3444-22-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/3444-26-0x00000000778A1000-0x00000000779C1000-memory.dmp

C:\ProgramData\images\images.exe

MD5 35562de1445f84deee725deefe31b410
SHA1 0e8168206e896875cccad315a2890820cae1cf33
SHA256 7e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb
SHA512 a4b87335b32d87261eb93c9e5e1187adc752897659d6006e7ccad739ca20b2e80f111b4fd653580945e0664dc9fa3383dee7c8477093e2445b9a2a3f4ffc3fa1

memory/3444-37-0x00000000004A0000-0x00000000016F4000-memory.dmp

C:\Users\Admin\AppData\Local\Petals\Ensand\smrhul\Brdskorpens\Remailed.Kur

MD5 215f935278cc7c17f5a3c612a1941c0f
SHA1 7e38abe1ff045ac3c6b5c10cd645bff54a56ee6d
SHA256 1cc384506c84964e72af778b1421866935ebf4d744ab731ecd364af5965e7cf0
SHA512 e8af35b72dfd96f6c0d4dc4e2afdbd80174877f45a5d728bffc582459701f5ef8311a7b4cb1ec95f278f56be7a615d35c6a288f3733dcf41271af9a97719e77b

C:\Windows\Fonts\snlig.ini

MD5 75285908e15263897f2fe77cc637ef6e
SHA1 cc5a707cae259834b2453a305af9453b7b7412ac
SHA256 6fc175d4186cfb67d46e22b277602aa3ec665ad44c9854e7bdaf0e5a25cefbc5
SHA512 e93afaa0772d9aa9a8d77e44473a5c58cf9f3b214b76d5ed94e08dbc2ae9ef3d67b470073b83c157318bfa67fb44e17833af313efe8ded28e07d55272eb4edb2

memory/4688-52-0x0000000074590000-0x0000000074597000-memory.dmp

C:\Users\Admin\AppData\Roaming\Flockling\Spkbrtter23.exe

MD5 b57bd2b22ec1ca023b23c4254e317918
SHA1 46bcaefb0eda740641f7047c1b27c552e567e37c
SHA256 029f17128cc1e4489a7b0eb12e757afb752200faba25d3e4a58270118de0e1ef
SHA512 4045c46cf25141118b45624d4a58cdb5349fe7f7c6659be01e1c27c9be08f1afe441f481778f4bdaf6451581a09e1af53ebe021b4d35a70d1229ec618d25d3ee

memory/4448-57-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/3840-62-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3548-64-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3840-68-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3840-72-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3856-74-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3548-73-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3548-80-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3856-81-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3548-79-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3856-69-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3856-83-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3840-86-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tncqxbmmzzmfplwxobkne

MD5 a53497fd7bf281f61d7d819a649c64bd
SHA1 580d201744bc94c3cf3cb922a79f8313b1011a93
SHA256 34f39f0ccb042a848a325458f619fc07b808653c0bebd8cde69d5f8428cfeec7
SHA512 1fcedb78352bf040a9a693e8389b9e81aa78f4995c6587b213ac57e813493f94bfa65b5d981e67dc32e59d861bb7c9f2f1d36892deee6d39b8371393b01f35dc

memory/4448-89-0x0000000037260000-0x0000000037279000-memory.dmp

memory/4448-92-0x0000000037260000-0x0000000037279000-memory.dmp

memory/4448-93-0x00000000004A0000-0x00000000016F4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-15 15:30

Reported

2024-02-15 15:32

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-15 15:30

Reported

2024-02-15 15:32

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 864 -ip 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

N/A