Analysis Overview
SHA256
f64a7307f5e75e2e73e93c5e2ed8009e8698e2c388a707afabbb756ecd0e1261
Threat Level: Known bad
The file HATCH COVER REQ_AW24 New Order Request.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Azorult family
Guloader family
Guloader,Cloudeye
Loads dropped DLL
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 11:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-05 11:27
Reported
2024-11-05 11:29
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5052 wrote to memory of 4000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5052 wrote to memory of 4000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5052 wrote to memory of 4000 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4000 -ip 4000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 11:27
Reported
2024-11-05 11:29
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Azorult
Azorult family
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1920 set thread context of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\slutstrenge.tri | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\0409\Semiprofessionalized248\evaluxir.pra | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe
"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"
C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe
"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kenkyo.x24.eu | udp |
| NL | 5.255.110.9:443 | kenkyo.x24.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | cq4cq.icu | udp |
| US | 8.8.8.8:53 | cq4cq.icu | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsyD395.tmp\System.dll
| MD5 | 564bb0373067e1785cba7e4c24aab4bf |
| SHA1 | 7c9416a01d821b10b2eef97b80899d24014d6fc1 |
| SHA256 | 7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5 |
| SHA512 | 22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472 |
memory/1920-10-0x0000000002FE0000-0x0000000004DAF000-memory.dmp
memory/1920-11-0x00000000779E1000-0x0000000077AE2000-memory.dmp
memory/1920-12-0x00000000779E0000-0x0000000077B89000-memory.dmp
memory/1920-13-0x0000000002FE0000-0x0000000004DAF000-memory.dmp
memory/1920-15-0x0000000002FE0000-0x0000000004DAF000-memory.dmp
memory/1444-14-0x00000000779E0000-0x0000000077B89000-memory.dmp
memory/1444-16-0x00000000004B0000-0x0000000001512000-memory.dmp
memory/1444-30-0x00000000004B0000-0x0000000001512000-memory.dmp
memory/1444-31-0x00000000004B0000-0x0000000001512000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 11:27
Reported
2024-11-05 11:29
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
142s
Command Line
Signatures
Azorult
Azorult family
Guloader family
Guloader,Cloudeye
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4504 set thread context of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\slutstrenge.tri | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\0409\Semiprofessionalized248\evaluxir.pra | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4504 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe |
| PID 4504 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe |
| PID 4504 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe |
| PID 4504 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe |
| PID 4504 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe | C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe
"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"
C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe
"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kenkyo.x24.eu | udp |
| NL | 5.255.110.9:443 | kenkyo.x24.eu | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 9.110.255.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cq4cq.icu | udp |
| US | 8.8.8.8:53 | cq4cq.icu | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsbAF9A.tmp\System.dll
| MD5 | 564bb0373067e1785cba7e4c24aab4bf |
| SHA1 | 7c9416a01d821b10b2eef97b80899d24014d6fc1 |
| SHA256 | 7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5 |
| SHA512 | 22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472 |
memory/4504-9-0x0000000002AD0000-0x000000000489F000-memory.dmp
memory/4504-10-0x0000000077471000-0x0000000077591000-memory.dmp
memory/4504-12-0x0000000074165000-0x0000000074166000-memory.dmp
memory/4504-11-0x0000000002AD0000-0x000000000489F000-memory.dmp
memory/4504-13-0x0000000002AD0000-0x000000000489F000-memory.dmp
memory/4140-14-0x0000000001710000-0x00000000034DF000-memory.dmp
memory/4140-21-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/4140-22-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/4140-23-0x0000000000060000-0x0000000000087000-memory.dmp
memory/4140-24-0x00000000004B0000-0x0000000001704000-memory.dmp
memory/4140-25-0x0000000001710000-0x00000000034DF000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-05 11:27
Reported
2024-11-05 11:29
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 220