Play interactive tour

Edit tour

Windows Analysis Report Halkbank.exe

Overview

General Information

Sample Name:	Halkbank.exe
Analysis ID:	528764
MD5:	4b230a305cc22a04446b397310070d56
SHA1:	208524b096c579b89579febff0b40f752b4e7db4
SHA256:	a22ca2c5d6086e8c6703deb2e345efc08627e7063c447d60babe6edb17503856
Tags:	AgentTeslaexegeoHalkbankTUR
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Halkbank.exe (PID: 6272 cmdline: "C:\Users\user\Desktop\Halkbank.exe" MD5: 4B230A305CC22A04446B397310070D56)

RegSvcs.exe (PID: 5972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

WerFault.exe (PID: 4232 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000000.494379610.0000000002ED8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.491463925.0000000002ED8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.535018721.0000000002ED8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Halkbank.exe PID: 6272	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Halkbank.exe PID: 6272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5972	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5972	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WerFault.exe PID: 4232	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.Halkbank.exe.3e39bb8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Halkbank.exe.3e39bb8.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Halkbank.exe.3e04198.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Halkbank.exe.3e04198.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Halkbank.exe.2ded24c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.Halkbank.exe.3e39bb8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Halkbank.exe.3e39bb8.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Halkbank.exe.3e04198.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Halkbank.exe.3e04198.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 20 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank.exe" , ParentImage: C:\Users\user\Desktop\Halkbank.exe, ParentProcessId: 6272, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5972

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Halkbank.exe" , ParentImage: C:\Users\user\Desktop\Halkbank.exe, ParentProcessId: 6272, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5972

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.0.RegSvcs.exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@devmetsan.com.tr", "Password": "Murat2019*", "Host": "mail.devmetsan.com.tr"}

Multi AV Scanner detection for submitted file

Show sources

Source: Halkbank.exe

Virustotal: Detection: 19%

Perma Link

Source: 5.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8

Source: Halkbank.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Halkbank.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000018.00000003.501131452.0000000004FE8000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501577620.0000000004FE9000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000018.00000003.515947307.0000000005527000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516030444.0000000005527000.00000004.00000040.sdmp
Source:	Binary string: System.pdb' source: WER819B.tmp.dmp.24.dr
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbHk source: WER819B.tmp.dmp.24.dr
Source:	Binary string: .pdb&&=8 source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: ore.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.492318602.000000000602D000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.536059728.000000000602D000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb& source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb8 source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.pdb"" source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000018.00000003.501258894.0000000003025000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501634756.0000000003025000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbu source: RegSvcs.exe, 00000005.00000002.534261296.0000000001125000.00000004.00000020.sdmp, RegSvcs.exe, 00000005.00000000.493739799.0000000001125000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb@ source: WER819B.tmp.dmp.24.dr
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000000.492318602.000000000602D000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.536059728.000000000602D000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb6 source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000018.00000003.515947307.0000000005527000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516030444.0000000005527000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: combase.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb= source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000005.00000002.534261296.0000000001125000.00000004.00000020.sdmp, RegSvcs.exe, 00000005.00000000.493739799.0000000001125000.00000004.00000020.sdmp
Source:	Binary string: wbemprox.pdbb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER819B.tmp.dmp.24.dr
Source:	Binary string: System.Configuration.pdbH source: WER819B.tmp.dmp.24.dr
Source:	Binary string: CustomMarshalers.pdbCA source: WER819B.tmp.dmp.24.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER819B.tmp.dmp.24.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbk source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb_ source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb.[ source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb{{(9 source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbd source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3%l source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
Source:	Binary string: ws2_32.pdbV source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000018.00000003.501258894.0000000003025000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501634756.0000000003025000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr

Source: RegSvcs.exe, 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: http://OGxUTf.com
Source: WerFault.exe, 00000018.00000002.532293810.0000000004EB0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.24.dr	String found in binary or memory: http://upx.sf.net
Source: RegSvcs.exe, 00000005.00000000.491450693.0000000002ED1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Halkbank.exe, 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 5.0.RegSvcs.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 5.0.RegSvcs.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838
Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bC8CB4320u002d469Eu002d4CE6u002dB4D2u002dAB375F7FC036u007d/u0037A240B66u002d27E2u002d4E75u002d8780u002d28B311BBCB88.cs	Large array initialization: .cctor: array initializer size 11838

Source: Halkbank.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476

Source: C:\Users\user\Desktop\Halkbank.exe	Code function: 1_2_009FA2A9	1_2_009FA2A9
Source: C:\Users\user\Desktop\Halkbank.exe	Code function: 1_2_06100F28	1_2_06100F28
Source: C:\Users\user\Desktop\Halkbank.exe	Code function: 1_2_06100040	1_2_06100040
Source: C:\Users\user\Desktop\Halkbank.exe	Code function: 1_2_061046FD	1_2_061046FD
Source: C:\Users\user\Desktop\Halkbank.exe	Code function: 1_2_061047F0	1_2_061047F0
Source: C:\Users\user\Desktop\Halkbank.exe	Code function: 1_2_061047E1	1_2_061047E1
Source: C:\Users\user\Desktop\Halkbank.exe	Code function: 1_2_009FA035	1_2_009FA035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F10040	5_2_00F10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F18A48	5_2_00F18A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F12A29	5_2_00F12A29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F18828	5_2_00F18828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1B6E8	5_2_00F1B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F19878	5_2_00F19878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2C2F0	5_2_00F2C2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F21FE2	5_2_00F21FE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2AB70	5_2_00F2AB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F22768	5_2_00F22768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27CB6	5_2_00F27CB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27880	5_2_00F27880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F279A7	5_2_00F279A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2795F	5_2_00F2795F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F27A09	5_2_00F27A09

Source: Halkbank.exe, 00000001.00000002.289355845.0000000000A8A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSafeBSTRHand.exeJ vs Halkbank.exe
Source: Halkbank.exe, 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs Halkbank.exe
Source: Halkbank.exe, 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs Halkbank.exe
Source: Halkbank.exe, 00000001.00000002.292657318.0000000006080000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs Halkbank.exe
Source: Halkbank.exe, 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIndvGslqFtFYfKpHTgcTQzFewbwOcpef.exe4 vs Halkbank.exe
Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs Halkbank.exe
Source: Halkbank.exe	Binary or memory string: OriginalFilenameSafeBSTRHand.exeJ vs Halkbank.exe

Source: Halkbank.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Halkbank.exe

Virustotal: Detection: 19%

Source: Halkbank.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Halkbank.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Halkbank.exe "C:\Users\user\Desktop\Halkbank.exe"
Source: C:\Users\user\Desktop\Halkbank.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476
Source: C:\Users\user\Desktop\Halkbank.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Halkbank.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER819B.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0

Source: C:\Users\user\Desktop\Halkbank.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5972

Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.5.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.5.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Halkbank.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Halkbank.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000018.00000003.501131452.0000000004FE8000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501577620.0000000004FE9000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000018.00000003.515947307.0000000005527000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516030444.0000000005527000.00000004.00000040.sdmp
Source:	Binary string: System.pdb' source: WER819B.tmp.dmp.24.dr
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbHk source: WER819B.tmp.dmp.24.dr
Source:	Binary string: .pdb&&=8 source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: ore.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.492318602.000000000602D000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.536059728.000000000602D000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbr source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb& source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb8 source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.pdb"" source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000018.00000003.501258894.0000000003025000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501634756.0000000003025000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbu source: RegSvcs.exe, 00000005.00000002.534261296.0000000001125000.00000004.00000020.sdmp, RegSvcs.exe, 00000005.00000000.493739799.0000000001125000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: sxs.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.PDB source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb@ source: WER819B.tmp.dmp.24.dr
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: wbemdisp.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000000.492318602.000000000602D000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.536059728.000000000602D000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb6 source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000018.00000003.515947307.0000000005527000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516030444.0000000005527000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: combase.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb= source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000005.00000002.534261296.0000000001125000.00000004.00000020.sdmp, RegSvcs.exe, 00000005.00000000.493739799.0000000001125000.00000004.00000020.sdmp
Source:	Binary string: wbemprox.pdbb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER819B.tmp.dmp.24.dr
Source:	Binary string: System.Configuration.pdbH source: WER819B.tmp.dmp.24.dr
Source:	Binary string: CustomMarshalers.pdbCA source: WER819B.tmp.dmp.24.dr
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER819B.tmp.dmp.24.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdbk source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb_ source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb.[ source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb{{(9 source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbd source: RegSvcs.exe, 00000005.00000000.490961404.00000000011CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.534391615.00000000011CB000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3%l source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 00000005.00000002.533609146.0000000000EF8000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.490547658.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER819B.tmp.dmp.24.dr
Source:	Binary string: ws2_32.pdbV source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: CustomMarshalers.pdb source: WerFault.exe, 00000018.00000003.515865466.0000000005538000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000018.00000003.516018795.0000000005520000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000018.00000003.501258894.0000000003025000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.501634756.0000000003025000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000018.00000003.515915382.0000000005551000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp, WER819B.tmp.dmp.24.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000000.495352147.0000000005FE0000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.535968114.0000000005FE0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515854696.0000000005536000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000018.00000003.515814367.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.516039599.000000000552A000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.515786951.0000000005521000.00000004.00000040.sdmp, WerFault.exe, 00000018.00000003.515958788.000000000552A000.00000004.00000040.sdmp, WER819B.tmp.dmp.24.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Halkbank.exe, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.Halkbank.exe.9f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.Halkbank.exe.9f0000.0.unpack, MegaMan.LevelEditor/MainForm.cs	.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00F1718B push 8BFFFFFFh; retf

5_2_00F17198

Source: initial sample

Static PE information: section name: .text entropy: 7.70769358931

Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 1.2.Halkbank.exe.2ded24c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank.exe PID: 6272, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Halkbank.exe, 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp, Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Halkbank.exe, 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp, Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Halkbank.exe TID: 6016	Thread sleep time: -36926s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe TID: 3340	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Halkbank.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3217			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6617			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Halkbank.exe	Thread delayed: delay time: 36926	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Amcache.hve.24.dr	Binary or memory string: VMware
Source: Amcache.hve.24.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.24.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: WerFault.exe, 00000018.00000003.529964299.0000000004FD6000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.532467720.0000000004FD6000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.532293810.0000000004EB0000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000003.529529898.0000000004FD6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.24.dr	Binary or memory string: VMware, Inc.me
Source: WerFault.exe, 00000018.00000003.529466977.0000000004FE0000.00000004.00000001.sdmp, WerFault.exe, 00000018.00000002.532482185.0000000004FE2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWh
Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.24.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Halkbank.exe, 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: WerFault.exe, 00000018.00000003.527444365.0000000004FE8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.24.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.24.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.24.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.24.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.24.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.24.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.24.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00F1C308 LdrInitializeThunk,

5_2_00F1C308

Source: C:\Users\user\Desktop\Halkbank.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Halkbank.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DF8008	Jump to behavior

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\Halkbank.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Halkbank.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Halkbank.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: RegSvcs.exe, 00000005.00000000.494112429.0000000001810000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000000.491193047.0000000001810000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000005.00000000.494112429.0000000001810000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000000.491193047.0000000001810000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000005.00000000.494112429.0000000001810000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000000.491193047.0000000001810000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000005.00000000.494112429.0000000001810000.00000002.00020000.sdmp, RegSvcs.exe, 00000005.00000000.491193047.0000000001810000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Halkbank.exe	Queries volume information: C:\Users\user\Desktop\Halkbank.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Halkbank.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Halkbank.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: Amcache.hve.24.dr, Amcache.hve.LOG1.24.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.24.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.24.dr, Amcache.hve.LOG1.24.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 1.2.Halkbank.exe.3e39bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Halkbank.exe.3e04198.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Halkbank.exe.3e39bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Halkbank.exe.3e04198.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.494379610.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.491463925.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.535018721.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank.exe PID: 6272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 4232, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5972, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 1.2.Halkbank.exe.3e39bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Halkbank.exe.3e04198.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Halkbank.exe.3e39bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Halkbank.exe.3e04198.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.494379610.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.491463925.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.535018721.0000000002ED8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Halkbank.exe PID: 6272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 4232, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection312	Masquerading1	OS Credential Dumping1	Security Software Discovery231	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	File and Directory Permissions Modification1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion141	SMB/Windows Admin Shares	Data from Local System1	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion141	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection312	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery114	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Halkbank.exe	20%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.RegSvcs.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.5.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.2.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://OGxUTf.com	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://OGxUTf.com	RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	RegSvcs.exe, 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://upx.sf.net	Amcache.hve.24.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
https://api.ipify.org%	RegSvcs.exe, 00000005.00000000.491450693.0000000002ED1000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Halkbank.exe, 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 00000018.00000003.513211711.00000000059D0000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528764
Start date:	25.11.2021
Start time:	18:46:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Halkbank.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@4/8@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 92% Number of executed functions: 61 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.189.173.22 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:47:18	API Interceptor	2x Sleep call for process: Halkbank.exe modified
18:47:30	API Interceptor	613x Sleep call for process: RegSvcs.exe modified
18:49:14	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_6e42c2ecbe67857e042102e8f977834d8ccb729_75d5926b_11ee2609\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1287522346016217
Encrypted:	false
SSDEEP:	192:I4kGbdHBUZMXaaPXvJCM34/u7sVS274Itx:ftBBUZMXaapP34/u7sVX4Itx
MD5:	CBE3312FDE05A798F5F92170E696AED0
SHA1:	E43A6E8BAB45A674F7FFE5F9A0B9475CDD71FF68
SHA-256:	AD59069D0E0B3B7123C5F4F1D429FEDAF4663EEE1D46F4CA970DD00CF02FA9E7
SHA-512:	8397A797E8D17F69333384CD95BCE0BC3F6E4042FD087AC13BBAF5C7D370C8C4886082396F422A150264A0DC4310A9416803F627272D1FD877B00E63BE3499C4
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.3.6.8.5.4.1.9.8.5.9.6.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.2.3.6.8.5.5.2.1.2.6.6.0.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.0.e.c.b.6.a.-.5.7.8.d.-.4.4.d.9.-.b.e.3.c.-.e.8.9.1.1.c.5.a.8.e.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.1.9.e.5.b.7.-.8.e.4.5.-.4.5.9.3.-.9.a.4.3.-.5.6.8.4.6.3.6.2.9.7.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.5.4.-.0.0.0.1.-.0.0.1.c.-.8.c.a.f.-.4.0.e.e.6.f.e.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.7.b.a.2.a.1.1.1.c.e.d.d.5.b.f.5.2.3.2.2.4.b.3.f.1.c.f.e.5.8.e.e.c.7.c.2.f.d.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER819B.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Nov 26 02:49:06 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	281542
Entropy (8bit):	3.695343865128418
Encrypted:	false
SSDEEP:	3072:6fwWc+0pa0DuUCgUCVjd+pVyxoHuNGoomu9gIOgF5WFY76A:qJD0paSuTjrpVIoO4B59RpDAm
MD5:	EC0DED637BEA0B9542F877FD855DBD00
SHA1:	16F0A36F2043305A4070CB7B8BD7516317C25D00
SHA-256:	239915962B2EDBB037BA0383BDF68CC477D5870DF2474DD47C7A51F27EEF29CC
SHA-512:	894C3FB8B2C9B24C0B212703A25C52DF8A149D4DE34E399FB5F4E1AABF39A488086C7205F1AF8597A393944DA6F8A17A03068E269B899177711C7EA6303232BC
Malicious:	false
Reputation:	low
Preview:	MDMP....... ......."K.a............D...........,...X.......$....#......T&...R..........`.......8...........T............8...............#...........%...................................................................U...........B......,&......GenuineIntelW...........T.......T....J.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER993B.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8342
Entropy (8bit):	3.6875708666095264
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipTjN6vn6YbS69mUgmfZ7SQCprZ89b4wsf4Im:RrlsNipfN6f6Y+69NgmflSu4Dfu
MD5:	2BE17A229E83FB783BCC938FFA8D167A
SHA1:	B8EDF9AF3C5593F09708110BF1F7CFD4BEE1EB5E
SHA-256:	E9E2578A901410941C5EE770855BBEAA19B7E898A7CDD73ED7881C91CA6AFAB9
SHA-512:	18197F047A57325CAA039DA2FA9596347B723D77EF0D5091435C07B95D3684CBF515AA88984B550E4D89891485FEDFE077E366430A8DE0D12BF7DB27B5972842
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.7.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D53.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4719
Entropy (8bit):	4.443555954095162
Encrypted:	false
SSDEEP:	48:cvIwSD8zsBJgtWI9bbWSC8BW8fm8M4JStjJ2FdL+q8vrtjJBP7Zd:uITfTIqSNxJLK1P7Zd
MD5:	07FEB55CAB5BB0BE4C80D94B74914413
SHA1:	E4FC06D252D2EE912D6790061D7D7466E6D9F6A4
SHA-256:	65EFFEECEB743A92E62D4BD52978813579EC8ABEA8E853653F9121E63C0914E6
SHA-512:	D0161DA2C76EB2965DFC32995DC9799848AA6861F7A3C63E9F4819C8383C98F965A879E60632574982C06DD97CD169C26382CDB0C9240C81C69AD45086E1766D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1270799" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Halkbank.exe.log Download File
Process:	C:\Users\user\Desktop\Halkbank.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
MD5:	D918C6A765EDB90D2A227FE23A3FEC98
SHA1:	8BA802AD8D740F114783F0DADC407CBFD2A209B3
SHA-256:	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
SHA-512:	A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	835
Entropy (8bit):	4.694294591169137
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
MD5:	6EB47C1CF858E25486E42440074917F2
SHA1:	6A63F93A95E1AE831C393A97158C526A4FA0FAAE
SHA-256:	9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
SHA-512:	08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.275087234815477
Encrypted:	false
SSDEEP:	12288:gmB3EyobBNXUvI3iljSGbJ/EKkBdEZZw/gmEl/L5rr4VQ0DekhC1n:1B3EyobBNXUvI3CR
MD5:	87287A03FA43FDDFB5B4A61F68CFBE43
SHA1:	D873ADBEC4AE25378CE25667263DABC0D23BB985
SHA-256:	28F8540784933C5D589851F7771A04BB8CCCF0A1F598C5963E38EEC23FDF13CE
SHA-512:	08F68963DA0EA8624E288164EB18CA10E592F376C8E358CC6323F6DFA0B40C7E2B8F7DBCA4E36FABBD4801043B03C8DFB792EC22B416E7AC0BD076E2BD8D854E
Malicious:	false
Reputation:	low
Preview:	regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...)p...............................................................................................................................................................................................................................................................................................................................................>@.t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	4.033223004973161
Encrypted:	false
SSDEEP:	384:BHWw5Rftx1hPJ4XOsF8nm7kiPBqXRSeq5QMVyi6+/zl4Lk4JZd1DoXzK4Zy7qx:hWGRftx1BJ4XLF8m73BqXYeq5QMVyi6c
MD5:	56239CA132CF0ABCE61F880652AE144E
SHA1:	7FBFB8471D01D801408E207DB47F9C83CBF2DDDE
SHA-256:	6A47BB76E5C14460CA96ED8A5C41B7EA4F32F1514E1840974102B5DC45BEFE55
SHA-512:	F1913AAEA49A071A347DA26FBA3B0F2B67AF229D2AA87586E895A30404D7FADB60CFB978CD4561873117C6E2493DDB60A0CD32DE7D17772420B82954D9DE852C
Malicious:	false
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...)p...............................................................................................................................................................................................................................................................................................................................................8@.tHvLE.^......Y...........'I.'...4..N.S.........0................... ..hbin................p.\..,..........nk,..t.)p....... ........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..t.)p....... ........................... .......Z.......................Root........lf......Root....nk ..t.)p....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.694981249167293
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Halkbank.exe
File size:	618496
MD5:	4b230a305cc22a04446b397310070d56
SHA1:	208524b096c579b89579febff0b40f752b4e7db4
SHA256:	a22ca2c5d6086e8c6703deb2e345efc08627e7063c447d60babe6edb17503856
SHA512:	c0dcfea90b46ef91463d6ff272e0febd9ee5615bad9f84993458bde3f9f7983fe025747b7a6e306b31884bc57f10040b965d4578900138721b519dcd37da4f95
SSDEEP:	12288:xBzcmhiTUHxuWTFfjCT8VD3feOTfBw31/sWKkTrENa0SixBFmRq:xBomhiIoW7D251/sFkTrFRi1Wq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..a..............0..d............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4982ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619EE920 [Thu Nov 25 01:38:40 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [ebp+0800000Eh], ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [3D3F170Ah], bh
or dl, byte ptr [edi]
aas
cmp eax, 003F170Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi-51C21EB9h], ch
inc edi
loope 00007FDCA0C47C9Fh
scasb
inc edi
loope 00007FDCA0C47C9Fh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
call far 9999h : 9A3E9999h
call far 0000h : 003E9999h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9827c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x640	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9632c	0x96400	False	0.785222870736	data	7.70769358931	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x9a000	0x640	0x800	False	0.3408203125	data	3.53068847001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x9a090	0x3b0	data
RT_MANIFEST	0x9a450	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright LiquidFyre Games, LLC 2009
Assembly Version	1.0.0.0
InternalName	SafeBSTRHand.exe
FileVersion	1.0.0.0
CompanyName	LiquidFyre Games, LLC
LegalTrademarks
Comments
ProductName	MegaMan Level Editor
ProductVersion	1.0.0.0
FileDescription	MegaMan Level Editor
OriginalFilename	SafeBSTRHand.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Halkbank.exe PID: 6272 Parent PID: 5992

General

Start time:	18:47:17
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\Halkbank.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Halkbank.exe"
Imagebase:	0x9f0000
File size:	618496 bytes
MD5 hash:	4B230A305CC22A04446B397310070D56
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.289972605.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.290021625.0000000002DD5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.290543372.0000000003DA9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5972 Parent PID: 6272

General

Start time:	18:47:19
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xab0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.493010505.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.534823642.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.287151735.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.491312153.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.494379610.0000000002ED8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.287966874.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.288288058.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.490385199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.533288791.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.491463925.0000000002ED8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.287632370.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.535018721.0000000002ED8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.494208216.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 4232 Parent PID: 5972

General

Start time:	18:48:58
Start date:	25/11/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1476
Imagebase:	0xe20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000003.513792403.0000000005780000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Halkbank.exe PID: 6272 Parent PID: 5992 Halkbank.exeCOMMON

Executed Functions

Function 06100F28, Relevance: 8.8, Strings: 5, Instructions: 2596COMMON

Download Yara Rule

Strings

D0Ym, xrefs: 06103C71
<Ym, xrefs: 061014EF
XcYm, xrefs: 06103DCA
<Ym, xrefs: 061012D2
XcYm, xrefs: 06103DD8

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID:
String ID: <Ym$<Ym$D0Ym$XcYm$XcYm
API String ID: 0-805044638
Opcode ID: 18646cbca50b7cb033c4e59be88969372229d375da4ee51f4b52876e190e9b3c
Instruction ID: 4b2474f58f3906f08ebc88505d7b1908793b48356f75568ab2bc77f344f4f5b9
Opcode Fuzzy Hash: 18646cbca50b7cb033c4e59be88969372229d375da4ee51f4b52876e190e9b3c
Instruction Fuzzy Hash: D3431974A00219CFDF64DF68C898A9DB7B2BF88304F158599E419AB3A5CB74ED81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06100040, Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae508d5e481ad9b3bc333dbb7645bf4c42dd683e6c1d73bff07c0af28f5b49c
Instruction ID: cffec402384206a0b3074b4b28d0d1f0cf2f8fec4eef644ea33c849886fe0c01
Opcode Fuzzy Hash: 9ae508d5e481ad9b3bc333dbb7645bf4c42dd683e6c1d73bff07c0af28f5b49c
Instruction Fuzzy Hash: F8529F34E001159FEB58DFA9C894BAE77F2BF88305F158469E9069B3A4DB70DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 061046FD, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bd6d6725f31299e9df3c001b81565ba1befb57a4ca7e613986cad5145a8d05
Instruction ID: c561d5fb2b39597744e27c1bcdbd5d9650191818e8db97079f899735db38a86b
Opcode Fuzzy Hash: 66bd6d6725f31299e9df3c001b81565ba1befb57a4ca7e613986cad5145a8d05
Instruction Fuzzy Hash: D481F331909289CFDB44DFB5E89179DBFF6AF86304F18886AD1449B266EF705805CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0610BA20, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0610BC56

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 482ac6f2b7a8e6a3fee29978e08ef5b9239e7d1783aad7b85e27a8d0da166fe7
Instruction ID: 7684cf4cc0bef3965cfeb9e935975384651c05a7e29b5d4e2218c9644416ce69
Opcode Fuzzy Hash: 482ac6f2b7a8e6a3fee29978e08ef5b9239e7d1783aad7b85e27a8d0da166fe7
Instruction Fuzzy Hash: 82915C71D04219CFEF50CFA9C8817EEBBB2BF48314F1485A9E809A7280DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0610B798, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0610B828

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9cf1110af07649c50f651a8b2d933baf700b58a60b530361b38852cc8a22ff59
Instruction ID: dc3558c57c068d6e214a3b92a0ce9e44245ff09843b136a779da84ab9cd5741f
Opcode Fuzzy Hash: 9cf1110af07649c50f651a8b2d933baf700b58a60b530361b38852cc8a22ff59
Instruction Fuzzy Hash: 982146759003099FDF00CFAAC881BEEBBF5FF48314F10882AE918A7250D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0610B600, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0610B67E

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 92f0f09af07cdd62c7f0bd3124b6500c8a5a37fadeb2c2dbd89430efc0ce9d88
Instruction ID: afeac3a43d777868198f84ac4ef435e15f347b76fbd654a69091c140b10f9114
Opcode Fuzzy Hash: 92f0f09af07cdd62c7f0bd3124b6500c8a5a37fadeb2c2dbd89430efc0ce9d88
Instruction Fuzzy Hash: A4212971D003098FDB50DFAAC4857EEBBF4EF88318F14842AD559A7240DB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0610B888, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0610B908

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5ca77983bae580a29f0536849195bdd589c1de6385578391be3b12c3d8c47866
Instruction ID: f0f125415b81c2aa10f6e26c7d2afe0e4f2bb0076c9fc81dc128af1b43ff1543
Opcode Fuzzy Hash: 5ca77983bae580a29f0536849195bdd589c1de6385578391be3b12c3d8c47866
Instruction Fuzzy Hash: FA2128B1D003199FDF00DFAAC881AEEBBF5FF48314F54882AE518A7250D7749944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0610B6D8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0610B746

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6a2f73c656a2f5e7d8bdab596653092d0c7b63001502117904000fb7f50e1b1e
Instruction ID: cfc48e6b35fc265447ba8261295362c9c3d8144112138e67a252906143995006
Opcode Fuzzy Hash: 6a2f73c656a2f5e7d8bdab596653092d0c7b63001502117904000fb7f50e1b1e
Instruction Fuzzy Hash: 451123759002499BDF10DFAAC844BEFBBF9EF88324F14881AE515A7250CB75A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0610B550, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0610B5B2

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2d17f2004af41619dbe6998911750d271457a74ae52a91a65d8e41efe28b8335
Instruction ID: dcab4e5358026b7884196951396f0891ffa504a19412992f2248574db7758782
Opcode Fuzzy Hash: 2d17f2004af41619dbe6998911750d271457a74ae52a91a65d8e41efe28b8335
Instruction Fuzzy Hash: 86115875D002088BDB10DFAAC4447EEBBF9AF88324F14881AD515A7240C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06100D24, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0610E7BD

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a872bd71043144a2bb802704fa311eae9957e72c2c6d809624c4e8c7b823873f
Instruction ID: 59ee469abc954c96b1f4e5e7840a8cda4adcb4f3f7017f729c5217d001c22ff7
Opcode Fuzzy Hash: a872bd71043144a2bb802704fa311eae9957e72c2c6d809624c4e8c7b823873f
Instruction Fuzzy Hash: C41122B59003089FDB20DF8AD884BDEBBF8EB48324F10881AE514A3640C3B4A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0610F148, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0610F1A0

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2f56b42800a9b837822f0b4ddae118775952c37ab85f2222d778895714e945bd
Instruction ID: db2fc72e615ce77afde0218c692128c71ceae9b7db0a0ee432087cc3694f3b08
Opcode Fuzzy Hash: 2f56b42800a9b837822f0b4ddae118775952c37ab85f2222d778895714e945bd
Instruction Fuzzy Hash: A21133B5800209CFDB20DF9AC545BDEBBF4EF88324F14842AD958A7240D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.289566004.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2507fe0c72ef0c8ad1b8d4310d372e6d77923a2aa00e4b580fddd6ae2d4e39a
Instruction ID: 863518c4bf8222c87d82c7c023f935e94d39a2738675552d69e968c57d8d6cee
Opcode Fuzzy Hash: a2507fe0c72ef0c8ad1b8d4310d372e6d77923a2aa00e4b580fddd6ae2d4e39a
Instruction Fuzzy Hash: A9216A72E00344DFCB00CF40D9C0F56BBA5FB98328F288569D8060B656C336DC45E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.289579279.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3345416c2a5bdb749416e0305d4a4e681f2890ffb3c2eed1fb639fb80086738a
Instruction ID: ffe29706a64bc010dcaaf1b0cbb28c80ed1809dd3d8d79658afb8b7afeb865e8
Opcode Fuzzy Hash: 3345416c2a5bdb749416e0305d4a4e681f2890ffb3c2eed1fb639fb80086738a
Instruction Fuzzy Hash: 7A212272904200DFCB14CF10D9C4B26BBB5FF84324F64C96ED80E0B24AC736D846DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.289579279.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766220ec631a733bd64689f2794e4f3fabc6dfe04847d9eeb889a1a7f2eb6ce6
Instruction ID: 48fc8f414d76977ae86ddbc98588460bf0f2d460f782dcacbaac8eb9bcc4f06d
Opcode Fuzzy Hash: 766220ec631a733bd64689f2794e4f3fabc6dfe04847d9eeb889a1a7f2eb6ce6
Instruction Fuzzy Hash: 00214F755093808FDB12CF24D994B15BF71EF46224F28C5EBD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.289566004.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3565b1a5ef8eef5e133bcdc94b13be323f23389a284cca19be178372932ec993
Instruction ID: 1d805f2c8823960d8b0e352127c2874a0e64f487ae1946798d80d106828dcb35
Opcode Fuzzy Hash: 3565b1a5ef8eef5e133bcdc94b13be323f23389a284cca19be178372932ec993
Instruction Fuzzy Hash: 2E11D376904280CFCB15CF10D5C4B16BF71FB98324F2886A9D8064B656C33AD85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.289566004.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4fa98f6ea7e6e06f084c56dbe24c051c94cc88d7d01e2ee0cc5118ed297328
Instruction ID: 8aa3144f73edc66e0b14fb9a724cfecc7b54553755db61cd267313e24afa0e75
Opcode Fuzzy Hash: bd4fa98f6ea7e6e06f084c56dbe24c051c94cc88d7d01e2ee0cc5118ed297328
Instruction Fuzzy Hash: 44012B72E043409AEB104E55DC84BA7BBDCEF41378F18891AED041F246D7789C44E6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.289566004.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1365703952cda476b16275e958a6ba06e0fcc398b99d50bb7664ecb52ec1ee
Instruction ID: 10ff2376e31b5938b66b0cd35d5bd1dc017d4d30d50f8fa6c743b24a0d096666
Opcode Fuzzy Hash: 9e1365703952cda476b16275e958a6ba06e0fcc398b99d50bb7664ecb52ec1ee
Instruction Fuzzy Hash: DEF0C2719042449EEB108E15CC88B62FBA8EB91734F18C45AED081B286C3789C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009FA2A9, Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.289239942.00000000009F2000.00000002.00020000.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.289235168.00000000009F0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.289355845.0000000000A8A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
Instruction ID: b732b61a70c34f753a56657cecca2e1fce3faa48b4ca0a15cd0cfc26db98d7b3
Opcode Fuzzy Hash: 19ff0009a3c968d98fd90668b3a3a664d25a6aab53ee2b7e982bc80375fb09c3
Instruction Fuzzy Hash: A262486144F7C19FC7134B746DB56E2BFB1AE6721871E44CBD4C0CE0A3E22A195AE722

Uniqueness

Uniqueness Score: -1.00%

Function 061047E1, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272a3fdf72f8f9d783b301a00dd7745094b8962bab0d54f54ae797b1e96eef3d
Instruction ID: 18ce436f9488bf8cd2f817d053693dcfa553562832777184052301d6aab15246
Opcode Fuzzy Hash: 272a3fdf72f8f9d783b301a00dd7745094b8962bab0d54f54ae797b1e96eef3d
Instruction Fuzzy Hash: 1A518E74E05248CFDB44DFB9E99169EBBFAABC4304F14C869E104AB364EF7059058F81

Uniqueness

Uniqueness Score: -1.00%

Function 061047F0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.292872508.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417bc4cca028c8dbd2dd07f82f35a7b210ddcae8658bb2c7099868d7e7a93157
Instruction ID: bdaf08fbe53ae8f5cdedcd0066de1ef4187059ff31ba03efeba5b44c97a2b97f
Opcode Fuzzy Hash: 417bc4cca028c8dbd2dd07f82f35a7b210ddcae8658bb2c7099868d7e7a93157
Instruction Fuzzy Hash: 57516E70E052488FDB44EFB9E99169EBBFAABC4304F14C869D104AB364EF7069058F91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5972 Parent PID: 6272 RegSvcs.exeCOMMON

Executed Functions

Function 00F21FE2, Relevance: 4.3, Strings: 3, Instructions: 528COMMON

Download Yara Rule

Strings

D0Ym, xrefs: 00F224D1
D0Ym, xrefs: 00F225D1
D0Ym, xrefs: 00F22444

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: D0Ym$D0Ym$D0Ym
API String ID: 0-2856394074
Opcode ID: 19a25ba21484e36916acd4ee4b17d0116ed22242e2dd771c5cd2d97a538c5012
Instruction ID: 855cc807cc5beec82ace2794f1cd9ed5d843495f6005349a12460dd185beeaf0
Opcode Fuzzy Hash: 19a25ba21484e36916acd4ee4b17d0116ed22242e2dd771c5cd2d97a538c5012
Instruction Fuzzy Hash: 8D12CD30A002299FDB14DFA9D854BAEBBF6BF88314F148529E906DB394DB34DC41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C2F0, Relevance: 2.5, Strings: 1, Instructions: 1232COMMON

Download Yara Rule

Strings

V, xrefs: 00F2CE95

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: f3618f37e13cd3adc9a6eea0176f9a821799273ce0f23d73836a62579bf9a724
Instruction ID: f0a838427c5d7d0bf0242582822ada30dbff8496506119ecf47082fbdfea011f
Opcode Fuzzy Hash: f3618f37e13cd3adc9a6eea0176f9a821799273ce0f23d73836a62579bf9a724
Instruction Fuzzy Hash: A1A27E30A002148FDB28EBB4D4987ADBBF2EF88314F148869E50ADB395DB35DC45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F1C308, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F1C369

Memory Dump Source

Source File: 00000005.00000002.533671342.0000000000F10000.00000040.00000010.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e28c2e8311b37413df2280443c12f8462ecd002d446cfbca37d6abe51db53fc3
Instruction ID: 1cce2cc970636301d12e623516607bb6174578e7298b3e149393542b5988f25a
Opcode Fuzzy Hash: e28c2e8311b37413df2280443c12f8462ecd002d446cfbca37d6abe51db53fc3
Instruction Fuzzy Hash: CF517331A002059BCB14EBB4D858AEEB7F5BF84304F148969E556EB345DF34AC44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2AB70, Relevance: .9, Instructions: 871COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e22ca96b0187e00a3cbd321078bdeac0a817b15f6b0c0a4a9fca80c3b838c3
Instruction ID: 062a20aa29671765eee3b2c5acccd8a34c4c1c0ea6665570e8569069fcb6cbaa
Opcode Fuzzy Hash: a2e22ca96b0187e00a3cbd321078bdeac0a817b15f6b0c0a4a9fca80c3b838c3
Instruction Fuzzy Hash: 23626E30A002258FDB14EBB9D858BAEB7F2AF88314F158469E90ADB355DF35DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F22768, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb050afc92f78ad6a782a0ea940162b0d81a9cdd49d52a99591959ffc76399b4
Instruction ID: 3eb340c7a20e3ec62bd60a865e69f482465e70e017481ea9c7cd06f0bc014b20
Opcode Fuzzy Hash: eb050afc92f78ad6a782a0ea940162b0d81a9cdd49d52a99591959ffc76399b4
Instruction Fuzzy Hash: D0E11A71E00129EFCB64CFA9E984AADBBB2FF88314F158065E805AB265D734DC41EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D928, Relevance: 2.8, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

D0Ym, xrefs: 00F2DC73
xTm, xrefs: 00F2D99C

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: D0Ym$xTm
API String ID: 0-3820908521
Opcode ID: a551a2e210c6d9c250eb50c6be697efb8f111baa5570a74efbff5320fc7ae2cd
Instruction ID: e5975f6b52a4d18932e450c9c500c730d87ea7a8ac4240867846b4548e4f13b7
Opcode Fuzzy Hash: a551a2e210c6d9c250eb50c6be697efb8f111baa5570a74efbff5320fc7ae2cd
Instruction Fuzzy Hash: E8A1F331B041258FDB24AB79E454B6E73EAEFC4354F15842AD506CB3A9CF78CC419B82

Uniqueness

Uniqueness Score: -1.00%

Function 00F21AC0, Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

XcYm, xrefs: 00F21C41
XcYm, xrefs: 00F21C4B

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: XcYm$XcYm
API String ID: 0-1540604016
Opcode ID: ec9c66d5074e4c8310e0719929a06f01a6cab206a6319cc8f6608faae87a8620
Instruction ID: 1ac7455da65b10492f70c852fd23a319701cd15fbf0b4f8a248549eff15b2513
Opcode Fuzzy Hash: ec9c66d5074e4c8310e0719929a06f01a6cab206a6319cc8f6608faae87a8620
Instruction Fuzzy Hash: 6781F139B40225CFCB18CFA8E484AAAB7F2FF99355B148169D406DB364D730EC01DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F1C057, Relevance: 2.0, APIs: 1, Instructions: 474libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F1C369

Memory Dump Source

Source File: 00000005.00000002.533671342.0000000000F10000.00000040.00000010.sdmp, Offset: 00F10000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f8d5a9314a6f5bdc6cb04d451ef077839496f7196925e52678cb0bd8dcf6d6f
Instruction ID: b06b87bf2e8944007309a1d3f25e554c1831a1396fa34fa4821fbda2c6fc7a7b
Opcode Fuzzy Hash: 1f8d5a9314a6f5bdc6cb04d451ef077839496f7196925e52678cb0bd8dcf6d6f
Instruction Fuzzy Hash: 8951C171A043059FCB14EBB4D858AEE7BB5BF88300F14896AE552EB255EF349C04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F23E28, Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190643e4f8a01f9bf3eca6b244f8e07963bc6190c62c8d293e3ccdfb3824cc32
Instruction ID: 1bb1cd63cce266057f3720f21f15bfb02b1d83d59555f782fa4a9b98f8660ecc
Opcode Fuzzy Hash: 190643e4f8a01f9bf3eca6b244f8e07963bc6190c62c8d293e3ccdfb3824cc32
Instruction Fuzzy Hash: 19621034A001198FEB24DFA0C954BDEBBBAEF85304F1084A9D60AAB395DF319D45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D3C8, Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb0d26dc88985bffdc9e745040dcdbbc6f7597b57a7fce4af4b3e51cae1dd6f
Instruction ID: 47d7a20f3a50f3632c7d350baab8c3ee36a5208c41c2705363e6f285d84d1a0a
Opcode Fuzzy Hash: 9bb0d26dc88985bffdc9e745040dcdbbc6f7597b57a7fce4af4b3e51cae1dd6f
Instruction Fuzzy Hash: A4F11371B042558FCB14DB78E8547BE7BFAAF95318F14846AD506CB262DB38DC02CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F22D50, Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9d8eca2dbf601e46431770879886494d994288142963137fc1ba5c340182e2
Instruction ID: eaaa570a788af60512d0e1d0db826371fa1b7146af7e858578c54e2b65574a1f
Opcode Fuzzy Hash: 3f9d8eca2dbf601e46431770879886494d994288142963137fc1ba5c340182e2
Instruction Fuzzy Hash: B9126D70A00629DFCB24CFA9E884A9EBBF2FF88314F158559E905DB261DB34ED41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F232D8, Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0aa94fb833d2acb7c762e5e79789838f74d7fc95c42b70118ddf4f500a991b3
Instruction ID: 87fbd73220bfa10915fc5f310bdf0eb2f12db0bac3df18600a22738c4bc66a0e
Opcode Fuzzy Hash: b0aa94fb833d2acb7c762e5e79789838f74d7fc95c42b70118ddf4f500a991b3
Instruction Fuzzy Hash: 8C025AB5A00126DFCB14CF68D584AAEBBF2BF88310F258555E8059B2A5C738FE41DF52

Uniqueness

Uniqueness Score: -1.00%

Function 00F2BB70, Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba0e76b6a9308189bcc68ca23c7f473fc7207a4a8a64819a519b4293cdde626
Instruction ID: e24260bb3cdc79a4e7677bc97dfc919796d5678861dbfaee1b55dcf531d4656b
Opcode Fuzzy Hash: dba0e76b6a9308189bcc68ca23c7f473fc7207a4a8a64819a519b4293cdde626
Instruction Fuzzy Hash: 4AE1BF74B083958FD7169778A8147E63BF69B96304F1984B6E948CB297EB38CC06CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00F24C78, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d994bd07db1f79c6d197d0c52a02cacb9e023a3bb76ea534ac30c419ed2511
Instruction ID: a799929c29a65604f026b06410a89ac2c9dfceac4395d3c7db31c403894224f6
Opcode Fuzzy Hash: 28d994bd07db1f79c6d197d0c52a02cacb9e023a3bb76ea534ac30c419ed2511
Instruction Fuzzy Hash: 36D1E775E00624CFCB14CFA9E5849ADBBF6BF88315B1680A9E905AB361CB74FC41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F24B58, Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d169ddc21f9cbbc044dfdada7d55ec33f77a805cbc708b1e14b2e3a984dfa053
Instruction ID: 2a5f2b1fe9d7e9d1ab94c2a9322156e55879f8c7ae21dba1866c92fe2d21fe0f
Opcode Fuzzy Hash: d169ddc21f9cbbc044dfdada7d55ec33f77a805cbc708b1e14b2e3a984dfa053
Instruction Fuzzy Hash: 30C1E671E006288FCB04CFA9E984A9DBBF6BF88315F168099E515AB361CB74FC41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00F22D40, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab00526e116e24cff90e2a83da44551623daf52d7761b396fadca7b75b30940
Instruction ID: 5690a8b9003a143db9080d4129a2107739f7f9f1f281892f8b12025fb25d1046
Opcode Fuzzy Hash: fab00526e116e24cff90e2a83da44551623daf52d7761b396fadca7b75b30940
Instruction Fuzzy Hash: F8C17A70A00628EFCB54CFA9E984AAEBBF2BF48314F158559E805AB260D734ED41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F216C8, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0dd894f4b4f60b4ca81655e741b16c9c82d272e3c11e1d815dc56b7545f02c
Instruction ID: 1e7587704773a7841ece1c1048dfa61d79cf41e0a04e7b89c0634b76e75219dd
Opcode Fuzzy Hash: 0a0dd894f4b4f60b4ca81655e741b16c9c82d272e3c11e1d815dc56b7545f02c
Instruction Fuzzy Hash: D49111307002258FDB259F64D894BAE77E6BFD8318F048528E8068B399DB74CC45DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E2D8, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7182cf00a5a74be54a1277f2b3fb0c4003aa6ce2133d808d5a25475c27244c34
Instruction ID: b181f4a91183845cc76ea188454fd2ba90dc5940881735b650a531bcc29ef323
Opcode Fuzzy Hash: 7182cf00a5a74be54a1277f2b3fb0c4003aa6ce2133d808d5a25475c27244c34
Instruction Fuzzy Hash: 80618034B002158FCB54EBB8E8506AE7BF6AFC5304B248469D50AEB355EF349D069BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F23AC8, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b749f18bc6442173eddd3032c5ec21f3903f8664151c8014232ba043473dc174
Instruction ID: f15c81e1b12c9325a35875160afd1c4d6be7e9af0caac1d73d295a7f69794132
Opcode Fuzzy Hash: b749f18bc6442173eddd3032c5ec21f3903f8664151c8014232ba043473dc174
Instruction Fuzzy Hash: F551D2717041258FCB14DF3EE884A6ABBE9FF8876071544A9E406CB361DB35ED01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F2DD68, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f9e461746b5baf20cc2d3ec17de64bbaa26926a86ed6b3870260394641c394
Instruction ID: cf530bb90259ac90bfec20ee26db3b8aedffbf6bd310692f51591c14e8e7735d
Opcode Fuzzy Hash: f9f9e461746b5baf20cc2d3ec17de64bbaa26926a86ed6b3870260394641c394
Instruction Fuzzy Hash: 5A514776A04175CFC708DF29EA84E6973B5BB8931572206A8E507EB3A4CB30EC00EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F22618, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5beef1bb94bf5586299f311f6738684fc698c963b5b7f0076f0460dfd79e23f6
Instruction ID: b41d29fb020b3d9a3c9a38492b315456d7da5129a69167987c7ea38521b09444
Opcode Fuzzy Hash: 5beef1bb94bf5586299f311f6738684fc698c963b5b7f0076f0460dfd79e23f6
Instruction Fuzzy Hash: 1641CC31A00228AFDB50DF64D804BBEBBB6EB84324F04842AE9169B251CB75DD15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F214A8, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980818675374c9339a647cfa652058ae1280224471ca7f3c97747cf4e06e7ac4
Instruction ID: 9e20bfbcf49f4cabb36418e1a2080732780b1b0d1a28dac5a345ba6908deb99d
Opcode Fuzzy Hash: 980818675374c9339a647cfa652058ae1280224471ca7f3c97747cf4e06e7ac4
Instruction Fuzzy Hash: E741C53170021ADFCF119F55E854AAE7BA6FFA8314F044065F90ACB255CB34CD21EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F238D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7102eca70bf950fc7b5b98d756843e93de13c273c75b20eefd36ba8dcc686fc4
Instruction ID: 6147031744bbb7efe5c56e069d06eca0043b9d52b7f51912f83036e4471994ef
Opcode Fuzzy Hash: 7102eca70bf950fc7b5b98d756843e93de13c273c75b20eefd36ba8dcc686fc4
Instruction Fuzzy Hash: FE414CB5B001259FCB14DF29D848BAE7BB6BF89310F114069F9068B360CB75DE81DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EDA8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5af400893d447b80db5cff32cb59f229a6805a049f7ec0e197e9fe6a27e8070
Instruction ID: 901da35440e44ca14b2fe3853189a51a8cfa6b42e5bb23df181092fee290105a
Opcode Fuzzy Hash: e5af400893d447b80db5cff32cb59f229a6805a049f7ec0e197e9fe6a27e8070
Instruction Fuzzy Hash: 6F31E674B043548FC751EB7CE814AAE7BF5AF89340F1584BAE149DB392EA388C058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C050, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5697bd7643c20fc6e8318d6f05ae851bb8995931ff9f1d1139915506e0713e35
Instruction ID: 27c37b7501b8ddd240be5cec139c18099e57484eeddbc35dda58effd352035a9
Opcode Fuzzy Hash: 5697bd7643c20fc6e8318d6f05ae851bb8995931ff9f1d1139915506e0713e35
Instruction Fuzzy Hash: E131E130F042108FDB14ABB5D4687AE7BE6AF88240B11846CE446EB385DF359C45DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00F2C040, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c46e74e457d43c34e1a17f8b856eed931f3e8b99cf73327334ae3d2f2ee10e
Instruction ID: 43596bb021dbf13ea8c2b58cd032cd966acbb883913f85eb3223732172356e09
Opcode Fuzzy Hash: 18c46e74e457d43c34e1a17f8b856eed931f3e8b99cf73327334ae3d2f2ee10e
Instruction Fuzzy Hash: C631E030F042108FDB14EF74E5696AEBBE2AF88200B15846DD446EB389DF359C45CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F23D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8a3aa1ed5dc809b3384f6cf60ead65a6449f1fa4018655341afc623860db24
Instruction ID: dee3a08be546dc8379aba08f7528e51f05f42c9c95f6e92b24f2ac1b61af03a6
Opcode Fuzzy Hash: 5d8a3aa1ed5dc809b3384f6cf60ead65a6449f1fa4018655341afc623860db24
Instruction Fuzzy Hash: BE2104717042284BDB246635E89477E3A9BAFD5728F658039D506CB398DF3DCD42B382

Uniqueness

Uniqueness Score: -1.00%

Function 00F23D08, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7b5c19e93b513c8add78a2660e05f73a954614a96cfe4128c1baebb5bec4ae
Instruction ID: d8cb2911f1f56d485f0cd04fe5e951d8f6f271b86fc5e72cded69c76e2098adb
Opcode Fuzzy Hash: dd7b5c19e93b513c8add78a2660e05f73a954614a96cfe4128c1baebb5bec4ae
Instruction Fuzzy Hash: E12137717002288BCB246635E88473E3ADBAFD5728B554039D906DB3A4DF39CD01B382

Uniqueness

Uniqueness Score: -1.00%

Function 00F23C10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e475f4e9a068898095f13ba288a2707d1907e0db3d74bd9c53caa8e5e36324da
Instruction ID: 72d482ebec9835de589d09e716d5c0551cd3822370f9ebc2350beff55c118e9e
Opcode Fuzzy Hash: e475f4e9a068898095f13ba288a2707d1907e0db3d74bd9c53caa8e5e36324da
Instruction Fuzzy Hash: 8C21B5B1B452758FC715DE66E88067B7BEAAB85320F154426F802E7344DB39DE00E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2DD57, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a83138f16fb82fae700d90b94b53168b254ebc4c4f3cfca5d9ab32107d66843
Instruction ID: d3912922f5a51b27ee5e6d7fad97cb66ea08fec53626f03b624f70e4785d71bd
Opcode Fuzzy Hash: 4a83138f16fb82fae700d90b94b53168b254ebc4c4f3cfca5d9ab32107d66843
Instruction Fuzzy Hash: 983123326085B0CFC34AEB19F684A6977B8BB8A3117710694F217EB7A5C730EC40EB05

Uniqueness

Uniqueness Score: -1.00%

Function 00F219F0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e518fe293d42d81de6f3ca06a834b7adbc4553e8fde325516137deb4c57289ac
Instruction ID: 42d5269605e5c849197590e26f8f0b151cf59b7a06072492dce30201675c3028
Opcode Fuzzy Hash: e518fe293d42d81de6f3ca06a834b7adbc4553e8fde325516137deb4c57289ac
Instruction Fuzzy Hash: 512127367026218FC7259A29E450A3EB3A6FFD57647154129E907CB364CF34DC429BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2AB50, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f11e35f6a15e1af10268c31e8d43ea956b9b785263f3dbfa63fb7c8b8e4c0d
Instruction ID: 3e894089714e7386c32a1e8b6306817e5775d361400ce87d77772c8135b2397e
Opcode Fuzzy Hash: 60f11e35f6a15e1af10268c31e8d43ea956b9b785263f3dbfa63fb7c8b8e4c0d
Instruction Fuzzy Hash: 5E214A70E012198FCB14DFA9E584ADDBBF2FF98354F25856AE504E7211D7309D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F21627, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9feb443b6d3a692179438af5725c4d289f1fd490435c13b2726e746c8c98aab
Instruction ID: 95b3d44917a2df7a495f0addcdfa09bc90e0acdf7e87d94116af285294ebca95
Opcode Fuzzy Hash: c9feb443b6d3a692179438af5725c4d289f1fd490435c13b2726e746c8c98aab
Instruction Fuzzy Hash: 5B01B532B001556FDF15DE68A810BEF3BEBEBD8354F19806AF905CB254CA718C169B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F2CE98, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23fd1e3946bf6cba51ff2f6a8c76a0e273b1c016f55cb0932bb6a9c3d2b4d7e1
Instruction ID: e7dbbe18f12a04c85f8cce972ba807a8f6e7777c64b39a92c3e6d1f2868e2b5c
Opcode Fuzzy Hash: 23fd1e3946bf6cba51ff2f6a8c76a0e273b1c016f55cb0932bb6a9c3d2b4d7e1
Instruction Fuzzy Hash: DD018171F002298F8B54EBB9E9016AEBBFAEBD8254B104529D509E7344EB349D018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2DCF7, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c3824ffce088c635bde1412cfb8832506ab6d1238cb65b1fd153419746a34d
Instruction ID: 9e0703be9bea7e15a0014d2cfceada09e243ae3f0dbe20b51daf581aa9b3e29d
Opcode Fuzzy Hash: 98c3824ffce088c635bde1412cfb8832506ab6d1238cb65b1fd153419746a34d
Instruction Fuzzy Hash: 98F0E2367406108FD7189A2AE884B6973E5EFD9725B518179E50ACB371DA20CC02CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F2DD08, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0a1593b475567f76729a045f843f29d922703d96dd5d9e7180f19a62ec5061
Instruction ID: f65186e6b7f9c3a6035abc48e14daf37ce348a19a9583c5c98ff8fe0fb6e2926
Opcode Fuzzy Hash: dc0a1593b475567f76729a045f843f29d922703d96dd5d9e7180f19a62ec5061
Instruction Fuzzy Hash: CBF0A0353006208FC718AB3AE858E3A37AAEFC972575580B9E506CB370CE30DC00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A69A, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdc4195c25e62c5e1839737532c692018788926a3e08ee49d11bf20ac37c66a
Instruction ID: c43fd2ce7ef78a6586714b67e58b2e454d5c44cbe08e2ca47502c79b253c7204
Opcode Fuzzy Hash: 4cdc4195c25e62c5e1839737532c692018788926a3e08ee49d11bf20ac37c66a
Instruction Fuzzy Hash: BEE065F6E141199FC740DBB8A5492AD7FF5AF8C1517150166D60DE3305E77049118BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E517, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c57195b819d14e53c91c478eebe5f9e284e9d2c12d18580bc90cccc6f3c4c3
Instruction ID: 642221d941e3a42433cb0edef10d2e3940225a7c55d0b8b3f1e889ec24be5541
Opcode Fuzzy Hash: 79c57195b819d14e53c91c478eebe5f9e284e9d2c12d18580bc90cccc6f3c4c3
Instruction Fuzzy Hash: B3E0ED35B101248B8F50FBBCE85999DB3F1BFC8254B148165E90AE7355EE389C018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EEA7, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef797d8183c9c84af5f0f8608a8f8fc0c526e3718d713c4184c1bb9e803acbb4
Instruction ID: d277c4ab6ae842c56a578ac90d6e08969d9bd7587bee57341ec304ab759ef2b7
Opcode Fuzzy Hash: ef797d8183c9c84af5f0f8608a8f8fc0c526e3718d713c4184c1bb9e803acbb4
Instruction Fuzzy Hash: 6BE0ED75B001248B8F40FBBCE8599DDB3F1EFC82547158165E50AE7355EE289C019BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2A6A8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbad846d6860f15192c9c85383b823785e0ce3690471a8baf05c99e6044b02a6
Instruction ID: f439fd899225129712ffc2ba65855a0792e1519ced8b63fa7141e567186c2359
Opcode Fuzzy Hash: cbad846d6860f15192c9c85383b823785e0ce3690471a8baf05c99e6044b02a6
Instruction Fuzzy Hash: D1E01276E141199F4750ABADA8055AE7FF9EB8C251B104076E90DE3200EA705A118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2BFE1, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd89b709a5cf9fdb8da07e05806b55e6a81f2849d9defe652000ec57664728d6
Instruction ID: 7d94a65387752824c2530339b1b628fd94f185823b46172df39c02125885a0a1
Opcode Fuzzy Hash: dd89b709a5cf9fdb8da07e05806b55e6a81f2849d9defe652000ec57664728d6
Instruction Fuzzy Hash: F8E0C075B002248F8F55EBF8D45959DB7F1BBC82557108565E90AE3354EF385C01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F215E8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c784b0622627159f4ce95148440cf27cc9c485ab4b9733898733f076075826
Instruction ID: faf9b3a5105c07af2cf4bbaad37b36fef0125c187074c0ea8fdc4a4305d02200
Opcode Fuzzy Hash: 29c784b0622627159f4ce95148440cf27cc9c485ab4b9733898733f076075826
Instruction Fuzzy Hash: 7FE0EC37300019AFCF528F94F941ADA7B66FBA4265F044012FA15C6120C3369531AB65

Uniqueness

Uniqueness Score: -1.00%

Function 00F21D71, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b15b30e647297e2cce5378c248e3f26c985ce979a0e64dc191af8b92686fa0b
Instruction ID: b3a746e8bad6675527e4aba34f81685a3497746fa295f308625e689684ad8350
Opcode Fuzzy Hash: 5b15b30e647297e2cce5378c248e3f26c985ce979a0e64dc191af8b92686fa0b
Instruction Fuzzy Hash: 47D05E3150871A8BCA50EBA1F480A8533EEA7C028DB908910E1044A23DEFB06D088B82

Uniqueness

Uniqueness Score: -1.00%

Function 00F21D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91763cb19b124e1eecd85d5b5c0398203fdb172778cbac45335fa76ca53682c
Instruction ID: 4deb5d24d72673bfacc0059b3ba3b80381a6ad94581949e4ffc6fb1456ccbc4f
Opcode Fuzzy Hash: f91763cb19b124e1eecd85d5b5c0398203fdb172778cbac45335fa76ca53682c
Instruction Fuzzy Hash: A6C0123100871A4A8550BBA1F44159533DE57D010C3508E21E1091D23DAFB06D094796

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F21F60, Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

Tm, xrefs: 00F21F6C
Tm, xrefs: 00F21F92
Tm, xrefs: 00F21F9E
Tm, xrefs: 00F21F76

Memory Dump Source

Source File: 00000005.00000002.533707239.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID:
String ID: Tm$Tm$Tm$Tm
API String ID: 0-1017660347
Opcode ID: 943f8a7383e53a996f624db2288edb2f1206396e4fbfe1180e00b4e5086ba91d
Instruction ID: 25d319cbb1eb9eda3eefb2a86780acbae2bf6b3a7b1824d30a08595ef2fe098b
Opcode Fuzzy Hash: 943f8a7383e53a996f624db2288edb2f1206396e4fbfe1180e00b4e5086ba91d
Instruction Fuzzy Hash: B401B131B501258FC724DA6ED504A2E73E9BFE977171581A9F411CB360DB30DC41A786

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Halkbank.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior