Manalyze report for 43d34f35ebaecff7182641b800c398c9

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1982-Jan-11 13:10:32
Detected languages	English - United States
Debug artifacts	WerFault.pdb
CompanyName	Microsoft Corporation
FileDescription	Windows Problem Reporting
FileVersion	`10.0.16299.1146 (WinBuild.160101.0800)`
InternalName	WerFault
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	WerFault.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.16299.1146`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: rundll32.exe` `May have dropper capabilities: CurrentControlSet\Services`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .imrsiv` `Unusual section name found: .didat`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryW` `Functions which can be used for anti-debugging purposes: DbgPrint NtQuerySystemInformation NtQueryInformationProcess CreateToolhelp32Snapshot` `Can access the registry: RegEnumKeyExW RegOpenKeyExW RegCloseKey RegGetKeySecurity RegDeleteValueW RegEnumValueW RegQueryInfoKeyW RegQueryValueExW RegSetValueExW RegCreateKeyExW RegGetValueW RegSetKeySecurity RegSetKeyValueW RegOpenKeyW RegDeleteKeyW` `Possibly launches other programs: CreateProcessW` `Uses Windows's Native API: NtSetSystemInformation NtFreeVirtualMemory NtAllocateVirtualMemory NtDeviceIoControlFile NtCreateFile NtQueryLicenseValue NtQueryInformationThread ZwQueryWnfStateNameInformation ZwUpdateWnfStateData NtQuerySystemInformation NtOpenEvent NtWaitForSingleObject NtAlpcConnectPort NtAlpcSendWaitReceivePort NtClose NtResumeProcess NtSuspendProcess NtQueryInformationProcess` `Uses Microsoft's cryptographic API: CryptReleaseContext CryptAcquireContextW` `Can create temporary files: CreateFileW GetTempPathW` `Functions related to the privilege level: OpenProcessToken CheckTokenMembership` `Interacts with services: OpenServiceW OpenSCManagerW QueryServiceConfigW` `Enumerates local disk drives: GetDriveTypeW GetLogicalDriveStringsW` `Manipulates other processes: OpenProcess ReadProcessMemory`
Info	The PE is digitally signed.	`Signer: Microsoft Windows` `Issuer: Microsoft Windows Production PCA 2011`
Safe	VirusTotal score: 0/72 (Scanned on 2019-12-30 17:17:47)	`All the AVs think this file is safe.`

Hashes

MD5	`43d34f35ebaecff7182641b800c398c9`
SHA1	`a433cf2aea0f8b15afd730c4a3b5e5f042eaa91f`
SHA256	`347eb85856bff45ef9715a1d4be467c20da6243ebdb416e139426ed0b9b757b2`
SHA3	`367384095508f47912a114a3ad4a02ef80c6e4ceaedd0fa12c24de839e89690c`
SSDeep	`6144:DSZEBCEORVG6WoPMDqYOGTVHA1K55LZhN18yNVJyB60OHyLC7v6G:oEIGTopD21h0Wc2Hywb`
Imports Hash	`d81577180806f64f9605065552c89620`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	1982-Jan-11 13:10:32
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x27a00`
SizeOfInitializedData	`0x29c00`
SizeOfUninitializedData	`0x200`
AddressOfEntryPoint	`0x0000000000026F80 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x57000`
SizeOfHeaders	`0x400`
Checksum	`0x57ad4`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`8e50f670eac95a28256d92626929dc0d`
SHA1	`f8956956358ba9971a02af65e1d4f82495b5afcd`
SHA256	`e8b54654bc79f4817a7fb05093879772f77f7c0caaf7eb983792404434531dc8`
SHA3	`1853248ed3330412cf0234debdf2bc89431753a7bc29244f11a63ba1243eac11`
VirtualSize	`0x2784e`
VirtualAddress	`0x1000`
SizeOfRawData	`0x27a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.29406`

.imrsiv

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x4`
VirtualAddress	`0x29000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rdata

MD5	`7d690d09e2279cd0054ccb9f8203849b`
SHA1	`a5ca1b393699368f3a79b18eb8d2aa67e3a4d5b1`
SHA256	`ac425e03acdae5c2ae15b865e47660a00001bc3ee916a52c97c2539f48f796b5`
SHA3	`3c21c3f340332dc2303726c44ecced8c2227704e8b73e16907ec289790c84e0b`
VirtualSize	`0x10998`
VirtualAddress	`0x2a000`
SizeOfRawData	`0x10a00`
PointerToRawData	`0x27e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.94209`

.data

MD5	`60dc9fbcaf354c75543a340fce436acb`
SHA1	`12d177638ba636bbad14793834675b2a1be779d6`
SHA256	`ee01d1cd010ae89955af9a094ab218106f13c3da052647d77b3cc06b2b493224`
SHA3	`e8a3e6e8b4ea5dae36dade029c4f652938313e0e856f48c4bb79e103be1c1a45`
VirtualSize	`0xd7c`
VirtualAddress	`0x3b000`
SizeOfRawData	`0x600`
PointerToRawData	`0x38800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.87536`

.pdata

MD5	`d252785349fa753778b4f1c678dc16a0`
SHA1	`f1fe9126c8b8afaab192bfcaa605df3aa8443cfc`
SHA256	`23b2a7c1251dfceac286b83de380ee550f3b3778cd4ad778459345c4b943ff66`
SHA3	`1a0af35e509fea12f11ae68067e34d465a98e83411ab3ab8781663597417bb91`
VirtualSize	`0x14d0`
VirtualAddress	`0x3c000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x38e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.24565`

.didat

MD5	`964615cb73c80c55417b0bd65776f8f6`
SHA1	`133c9c4943ac1d3c0d6bda7815e33a020284ac79`
SHA256	`7d4d0c8159307262cfc9ad21e40273713fc38165557cfaedfebf21cd0b5b3767`
SHA3	`95224a9b05c83381701c53d9c45c1101889ab2f2c9e48483f06a7078c184c040`
VirtualSize	`0xb8`
VirtualAddress	`0x3e000`
SizeOfRawData	`0x200`
PointerToRawData	`0x3a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.301`

.rsrc

MD5	`5ea547f60e5448c16f856a38cf084102`
SHA1	`5a46d582fa32469ffa338ffc03f3d66c30560522`
SHA256	`1625f81d2f7a33d47da4376eac9bf35cc64a7a87e430190826122ba015c69c0f`
SHA3	`c0e12606de9b9c28d6f9df79e3a2a95eadaa449d9798605d9e65d8aeb69edfed`
VirtualSize	`0x16878`
VirtualAddress	`0x3f000`
SizeOfRawData	`0x16a00`
PointerToRawData	`0x3a600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.01415`

.reloc

MD5	`6f9d54a4108ddc52f587e020cd95d826`
SHA1	`7a1a191dc72c23e9813ca364c2c14c8cd2589605`
SHA256	`00f3d82a87fa4fd69023703bb2cbd308fee94d1421339d04b38926945889f9c6`
SHA3	`5d5ca6577e061b26d98a48a1e19a7be3423817f347d3f09447d0dd019c8085a8`
VirtualSize	`0x1e0`
VirtualAddress	`0x56000`
SizeOfRawData	`0x200`
PointerToRawData	`0x51000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.64528`

Imports

msvcrt.dll	`_initterm` `_wtoi64` `wcsrchr` `__C_specific_handler` `tolower` `__setusermatherr` `_cexit` `_exit` `exit` `__set_app_type` `_fmode` `isspace` `__wgetmainargs` `_amsg_exit` `_commode` `wcsstr` `_lock` `_XcptFilter` `towlower` `_purecall` `free` `_vsnprintf_s` `printf` `_unlock` `__dllonexit` `_wtoi` `_onexit` `??0exception@@QEAA@AEBV0@@Z` `wcspbrk` `??1type_info@@UEAA@XZ` `_callnewh` `?terminate@@YAXXZ` `wcschr` `__CxxFrameHandler3` `iswspace` `??0exception@@QEAA@XZ` `_wcsicmp` `_wcsnicmp` `_vscwprintf` `??1exception@@UEAA@XZ` `memmove` `_CxxThrowException` `memcpy_s` `memcpy` `_vsnwprintf` `wcsncmp` `malloc` `memset` `wcscmp`
api-ms-win-core-libraryloader-l1-2-0.dll	`GetModuleFileNameA` `GetProcAddress` `FreeLibraryAndExitThread` `LoadStringW` `GetModuleHandleW` `LoadLibraryExW` `FreeLibrary` `GetModuleHandleExW`
api-ms-win-core-synch-l1-1-0.dll	`SetEvent` `OpenSemaphoreW` `ReleaseMutex` `CreateMutexExW` `OpenMutexW` `CreateMutexW` `WaitForSingleObject` `ReleaseSemaphore` `WaitForSingleObjectEx` `CreateSemaphoreExW` `OpenEventW`
api-ms-win-core-heap-l1-1-0.dll	`GetProcessHeap` `HeapAlloc` `HeapFree` `HeapSetInformation`
api-ms-win-core-errorhandling-l1-1-0.dll	`UnhandledExceptionFilter` `SetLastError` `GetLastError` `SetUnhandledExceptionFilter` `SetErrorMode`
api-ms-win-core-processthreads-l1-1-0.dll	`GetProcessTimes` `GetCurrentProcessId` `GetExitCodeThread` `CreateThread` `SetThreadPriority` `GetCurrentThread` `GetCurrentThreadId` `CreateProcessW` `GetCurrentProcess` `GetThreadPriority` `OpenProcessToken` `TerminateProcess` `OpenThread` `GetProcessId`
api-ms-win-core-localization-l1-2-0.dll	`GetSystemDefaultLangID` `FormatMessageW`
api-ms-win-core-debug-l1-1-0.dll	`OutputDebugStringW` `DebugBreak` `IsDebuggerPresent`
api-ms-win-core-handle-l1-1-0.dll	`DuplicateHandle` `CloseHandle`
api-ms-win-eventing-provider-l1-1-0.dll	`EventSetInformation` `EventUnregister` `EventWrite` `EventRegister` `EventWriteTransfer`
api-ms-win-core-synch-l1-2-0.dll	`Sleep`
api-ms-win-core-rtlsupport-l1-1-0.dll	`RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext`
api-ms-win-core-profile-l1-1-0.dll	`QueryPerformanceCounter`
api-ms-win-core-sysinfo-l1-1-0.dll	`GetSystemInfo` `GetVersionExW` `GetSystemDirectoryW` `GetWindowsDirectoryW` `GetTickCount` `GlobalMemoryStatusEx` `GetSystemTimeAsFileTime`
api-ms-win-core-string-l1-1-0.dll	`MultiByteToWideChar`
api-ms-win-core-heap-l2-1-0.dll	`LocalFree`
ntdll.dll	`DbgPrint` `RtlAllocateHeap` `RtlFreeHeap` `RtlSetThreadErrorMode` `RtlGetUnloadEventTraceEx` `RtlAdjustPrivilege` `NtSetSystemInformation` `NtFreeVirtualMemory` `NtAllocateVirtualMemory` `NtDeviceIoControlFile` `NtCreateFile` `NtQueryLicenseValue` `NtQueryInformationThread` `RtlImageNtHeaderEx` `ZwQueryWnfStateNameInformation` `ZwUpdateWnfStateData` `EtwTraceMessage` `EtwGetTraceLoggerHandle` `EtwGetTraceEnableLevel` `RtlNtStatusToDosError` `EtwEventWriteNoRegistration` `NtQuerySystemInformation` `NtOpenEvent` `NtWaitForSingleObject` `RtlAllocateAndInitializeSid` `RtlInitUnicodeString` `NtAlpcConnectPort` `NtAlpcSendWaitReceivePort` `RtlFreeSid` `NtClose` `RtlCreateProcessReflection` `NtResumeProcess` `NtSuspendProcess` `NtQueryInformationProcess` `DbgPrintEx` `EtwUnregisterTraceGuids` `EtwRegisterTraceGuidsW` `EtwGetTraceEnableFlags`
wer.dll	`WerpAddTerminationReason` `WerpValidateReportKey` `WerpGetStorePath` `WerpSetReportFlags` `WerpGetReportFlags` `WerReportCloseHandle` `WerReportSubmit` `WerpAddFile` `WerReportAddFile` `WerpSetCallBack` `WerpSetTelemetryKernelParams` `WerpSetIntegratorReportId` `WerReportCreate` `WerpSetReportNamespaceParameter` `WerpReportSprintfParameter` `WerpPromptUser`
api-ms-win-downlevel-shlwapi-l2-1-1.dll	`IsOS`
dbghelp.dll	`MiniDumpWriteDump`
api-ms-win-core-windowserrorreporting-l1-1-0.dll	`WerGetFlags`
CRYPTSP.dll	`CryptReleaseContext` `CryptAcquireContextW`
api-ms-win-core-apiquery-l1-1-0.dll	`ApiSetQueryApiSetPresence`
api-ms-win-core-delayload-l1-1-1.dll	`ResolveDelayLoadedAPI`
api-ms-win-core-delayload-l1-1-0.dll	`DelayLoadFailureHook`
api-ms-win-core-processthreads-l1-1-1.dll	`OpenProcess` `GetThreadContext`
api-ms-win-security-base-l1-1-0.dll	`IsValidSid` `CreateWellKnownSid` `FreeSid` `CheckTokenMembership` `GetSidSubAuthority` `AllocateAndInitializeSid` `GetSidSubAuthorityCount` `GetTokenInformation` `CopySid` `GetLengthSid`
api-ms-win-security-sddl-l1-1-0.dll	`ConvertStringSecurityDescriptorToSecurityDescriptorW` `ConvertSidToStringSidW`
api-ms-win-core-file-l1-1-0.dll	`CompareFileTime` `CreateFileW` `ReadFile` `FindClose` `FileTimeToLocalFileTime` `GetFileAttributesW` `FindNextFileW` `GetFileAttributesExW` `SetFileAttributesW` `GetDiskFreeSpaceExW` `WriteFile` `GetDriveTypeW` `GetLogicalDriveStringsW` `QueryDosDeviceW` `GetTempFileNameW` `GetLongPathNameW` `GetFinalPathNameByHandleW` `GetFileSize` `CreateDirectoryW` `DeleteFileW` `FindFirstFileW`
api-ms-win-core-wow64-l1-1-0.dll	`IsWow64Process`
api-ms-win-core-registry-l1-1-0.dll	`RegEnumKeyExW` `RegOpenKeyExW` `RegDeleteTreeW` `RegCloseKey` `RegGetKeySecurity` `RegDeleteValueW` `RegEnumValueW` `RegQueryInfoKeyW` `RegQueryValueExW` `RegSetValueExW` `RegCreateKeyExW` `RegGetValueW` `RegSetKeySecurity`
api-ms-win-core-memory-l1-1-0.dll	`CreateFileMappingW` `VirtualAlloc` `UnmapViewOfFile` `VirtualQueryEx` `MapViewOfFile` `ReadProcessMemory` `VirtualFree` `OpenFileMappingW`
api-ms-win-core-threadpool-l1-2-0.dll	`WaitForThreadpoolWaitCallbacks` `CloseThreadpoolWait` `SetThreadpoolWait` `CreateThreadpoolWait`
api-ms-win-core-synch-l1-2-1.dll	`WaitForMultipleObjects`
api-ms-win-core-processenvironment-l1-1-0.dll	`GetCommandLineW` `ExpandEnvironmentStringsW`
api-ms-win-eventing-controller-l1-1-0.dll	`StartTraceW` `StopTraceW`
RPCRT4.dll	`UuidToStringW` `RpcStringFreeW` `UuidCreate`
api-ms-win-core-timezone-l1-1-0.dll	`FileTimeToSystemTime`
api-ms-win-service-management-l1-1-0.dll	`OpenServiceW` `OpenSCManagerW` `CloseServiceHandle` `StartServiceW`
api-ms-win-service-management-l2-1-0.dll	`QueryServiceConfigW`
api-ms-win-core-sysinfo-l1-2-0.dll	`GetProductInfo`
api-ms-win-core-file-l2-1-0.dll	`MoveFileExW`
api-ms-win-core-processsnapshot-l1-1-0.dll	`PssDuplicateSnapshot` `PssCaptureSnapshot`
api-ms-win-core-psapi-l1-1-0.dll	`K32EnumProcessModules` `K32GetModuleFileNameExW`
api-ms-win-core-registry-l1-1-1.dll	`RegSetKeyValueW`
api-ms-win-core-libraryloader-l1-2-1.dll	`LoadLibraryW`
bcrypt.dll	`BCryptDestroyHash` `BCryptFinishHash` `BCryptCreateHash` `BCryptHashData`
api-ms-win-core-version-l1-1-0.dll	`GetFileVersionInfoSizeExW` `GetFileVersionInfoExW` `VerQueryValueW`
api-ms-win-core-file-l1-2-0.dll	`GetTempPathW`
api-ms-win-eventing-legacy-l1-1-0.dll	`QueryTraceW` `EnableTrace`
api-ms-win-core-registry-l2-1-0.dll	`RegOpenKeyW` `RegDeleteKeyW`
api-ms-win-eventlog-legacy-l1-1-0.dll	`RegisterEventSourceW` `ReportEventW` `DeregisterEventSource`
api-ms-win-core-toolhelp-l1-1-0.dll	`Module32FirstW` `Module32NextW` `CreateToolhelp32Snapshot` `Thread32First` `Thread32Next`
api-ms-win-core-shlwapi-obsolete-l1-1-0.dll	`StrStrIW`
api-ms-win-security-trustee-l1-1-0.dll	`BuildSecurityDescriptorW`
api-ms-win-core-localization-obsolete-l1-2-0.dll	`GetUserDefaultUILanguage`
faultrep.dll	`WerpInitiateCrashReporting`
api-ms-win-shell-shellfolders-l1-1-0.dll (delay-loaded)	`SHCreateDirectoryExW` `SHGetFolderPathW`

Delayed Imports

Attributes	`0x1`
Name	`api-ms-win-shell-shellfolders-l1-1-0.dll`
ModuleHandle	`0x3baf0`
DelayImportAddressTable	`0x3e048`
DelayImportNameTable	`0x37a70`
BoundDelayImportTable	`0x37cb8`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.77836`
MD5	`c22f144a19c009b3fc28ae1ec8da3f84`
SHA1	`323c604af12418fa5724ba2b9d8d89e844d420ee`
SHA256	`cdb9247428f91dfae3fec36467b65ddb4c5b1e57f9fb9ca94d377dd98760b940`
SHA3	`fab2e566283860f24efa8d82ceb3aba0cd3b0af277ff64bcdf689f2dc0a00040`

1 (#2)

Type	`WEVT_TEMPLATE`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2c7a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.92317`
MD5	`941981ed3b0f97782b8f7734b5727003`
SHA1	`f763c32db944adffe568ff3212247382ff75421f`
SHA256	`149895684d3276ac3d02f94931de56bf3bf23e9e1b8bede73c789ce61b9b0069`
SHA3	`42ee5b79806de33bd0c4c1290b0d54232d58acdd8a32c9ebfd75c2626b5af457`

1 (#3)

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x668`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.13531`
MD5	`441c6a72b53abc81e2fafbfcff8174a6`
SHA1	`ea91e154d10a3c9fec8c7e36d56b4ca9e685df67`
SHA256	`bc302c14831c64a5275e7f3c8b79cb39126bd1534016497e695af922cbf689ba`
SHA3	`cb2ec47085f75d6949a911a958532d875c0813dcbfafb47c6cefcb28eeec2888`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.30196`
MD5	`0fc166d0a501f25a250ff82b6df55773`
SHA1	`11042c6dd7a4e006d064f7dc0de9663c67d47aa0`
SHA256	`93e1c3caaae6af63d2c0a18fe23c0a0ad6af4bc291a4ca0b307b793ecd72c208`
SHA3	`17e80cf9353017008c39949edbfa85dab2e05997489dd3f70a9011a55a873b9f`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x1e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.00608`
MD5	`7ff7d39b16386f4f6fee6aa31a7a30d2`
SHA1	`627a77b872a5f96dac9e9e8192a6b69e6b42e442`
SHA256	`a4decb956ef21cf973673bd470c584118435c434460c721b3d3bb6d4ef2593ae`
SHA3	`c3d2b22a2f1a8642f163d26b642edcc30e56ae1f569bcef8b8982832db6b7a92`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.54487`
MD5	`795eaded5f1a4d5b941666193f322070`
SHA1	`75d17b20924fc500538d0a3dd42432fefd3c5b58`
SHA256	`7ea18ce7b5deae3ce5569a90d281bb801d377ddeae4c07eb04ae2528de971a8d`
SHA3	`f52dcd086bb2da8503f4f116a55c79793e01200451510ad85e6d836cb9a8ce32`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xea8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.80484`
MD5	`5d54b125bb7b3f386442061381ecbcf8`
SHA1	`4f6fe9bf0d5ee88de6afab558bef26405ba9be8f`
SHA256	`5341a8a7243632b48fc897c3b08c5a5de5417a52c575a78a7a15c40760e39b04`
SHA3	`39ca0573e7ae56aa73f1a339bbe5a1b7b76f52e60251654e95b633a1c0190a86`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x8a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.17041`
MD5	`2fcf1c1e9442bce2179076674bc02994`
SHA1	`cbdff8ef5d563366b5b7d7131ab579a15eb15b89`
SHA256	`dfde6d62bc6ee4b5f381d3d5984e2bada09fa639509c1db9c000bdb334ca2a87`
SHA3	`d0cb0b2f01dc532bb20aa67e49ab035f489a9f0d7181c1de935f73b4ea512cf7`

7

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x6c8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.17417`
MD5	`ebe770cd8909f31991e6bbadcba9fd5a`
SHA1	`540fd2cb4285ed8209ca97233d9cf55cc909a966`
SHA256	`c6b01ce067372a0c8fc830c274967d53fd388c297b9827f84ac5a40d4cc456ab`
SHA3	`48fdc17f0b38b164310e0d4bb7dc106d08fea8036a5b1035eac9d0587a5f4e3a`

8

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.52932`
MD5	`ad951f8ea4bec9bd1effd28587d4cf58`
SHA1	`70cfa1f68cf7eafd4d9132c37329dfbaf3225ab6`
SHA256	`ef3c21a3e2326e53ae27f013ad7e08fc225867e95cd56c5342a390962cf78ac0`
SHA3	`aca6492b28587937b397c635d581be2ead6d0b1747c4f51a3e9595f966a20c88`

9

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xb8dd`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98061`
Detected Filetype	PNG graphic file
MD5	`eca2b97b011faf4b96b4427d95d249ea`
SHA1	`7d24ae03bf62d327ba5523df24373c1c5270edfc`
SHA256	`e6588525cd6196d1d5f75f1fa3b14118701d604b3235ae4baf54c2b63caa71f2`
SHA3	`33178b63f08a4c7a84151f4c35db4922e6fa107117a40b9dabcdef939151c625`

10

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.51487`
MD5	`0e4b059b576ac2d0426c5f17d5ca8011`
SHA1	`ec700a6864eca645a5f10e190cb28b77d7a8bbc9`
SHA256	`173d928a42970ec9085472b6470a8cf48d27aadb86c8abe48279e550b9757e5e`
SHA3	`a9c8c632d287a031d0072a1fc452004dbae478c9ffb1fb016cba0747c0a7a9fd`

11

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.75161`
MD5	`ba8828b4156e22da1b0c5e60c3476a78`
SHA1	`478df2b81354bfc1d4f5d23f89b1127a572258b4`
SHA256	`bd8f977c5250a0933f46cc360b168583480ecd4e0f06321633bde72c0d19d547`
SHA3	`debab9fa60e9690c33a42b4ef18866c5a285aea55bfc5ce4ff1ac339ae0b6046`

12

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x988`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.81993`
MD5	`4d8eefd0a6d602159a618bda78050bd9`
SHA1	`95f6225780cedbbc4fd5b996aa22d05455c35a98`
SHA256	`163da620023a2f12f602dc8f1fc30b0b3f7dbd2467e86465190a232437d85ac3`
SHA3	`8ee532433cb47ab44d16d39c5e1928b2e549fe39a8400fea4d1fea546e6c5a04`

13

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.73755`
MD5	`c2df71d2854ad119e5b065a55a4ab423`
SHA1	`43d3b45cb5c710fa068864d6c3755f7515c7d7ad`
SHA256	`f393e0e23a4e9530463f0053f1831ed4c95607bb657b738b684500bd6c90492a`
SHA3	`43fbe9e267c59edddc84d84e4ff4cbc888e886796ce87652130cab9c658d9b10`

100

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0xbc`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.06903`
Detected Filetype	Icon file
MD5	`2d2d8de35482410dd94600c91aafc728`
SHA1	`34e6ab82182825524585777d16546d7f30013985`
SHA256	`db0ff38e623825d580e0de80405df72c5f13c89ae91c4e0750ee026fca77b23c`
SHA3	`c25c8b1580e775b7a1706a2e2fe8d7ce2696e59615422a06446a47cc923b6380`

1 (#4)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3a0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.50812`
MD5	`99fda6bd61af0a306b83f834b72b64e6`
SHA1	`89a91327a8f7c24441e799d0a8ee4722f499fa0c`
SHA256	`2d5c4ca5cbb1eef5dc60d1252d6538f0880cc64ea177a8af87998b7d658e36a9`
SHA3	`eafdb518b469f02d3992ec3e3768c09d76ef54d957fcfeca35b76317f83041ac`

1 (#5)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x56c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.64832`
MD5	`f67c0d76512aced755a603f125ea59ec`
SHA1	`d4ae378b6946a043c582a8dd1b3238e10d9beee8`
SHA256	`f5a42ba0a4aa27ed99a9961b52b8f8786c5b880b00b03aa3b85ba5cd5aac5284`
SHA3	`5160d4016989a1c2477348ebc7802e43b0d3c4489dbcfac7128cb79bb02aafb1`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.16299.1146
ProductVersion	10.0.16299.1146
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Windows Problem Reporting
FileVersion (#2)	10.0.16299.1146 (WinBuild.160101.0800)
InternalName	WerFault
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	WerFault.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.16299.1146

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	1982-Jan-11 13:10:32
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0x34224`
PointerToRawData	`0x32024`
Referenced File	WerFault.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	1982-Jan-11 13:10:32
Version	`0.0`
SizeofData	`880`
AddressOfRawData	`0x3424c`
PointerToRawData	`0x3204c`

UNKNOWN

Characteristics	`0`
TimeDateStamp	1982-Jan-11 13:10:32
Version	`0.0`
SizeofData	`0`
AddressOfRawData	`0`
PointerToRawData	`0`

TLS Callbacks

Load Configuration

Size	`0x100`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14003b518`
GuardCFCheckFunctionPointer	`5368885464`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0x3088c8c3`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`126`
ASM objects (VS2017 v15.?.? build 25203)	`3`
C objects (VS2017 v15.?.? build 25203)	`25`
Total imports	`417`
Imports (VS2017 v15.?.? build 25203)	`13`
C++ objects (VS2017 v15.?.? build 25203)	`6`
265 (VS2017 v15.?.? build 25203)	`67`
Resource objects (VS2017 v15.?.? build 25203)	`1`
Linker (VS2017 v15.?.? build 25203)	`1`

Errors

[*] Warning: Section .imrsiv has a size of 0!